Loading ...

Play interactive tourEdit tour

Analysis Report NcVke2zCHP.exe

Overview

General Information

Sample Name:NcVke2zCHP.exe
MD5:89c134503c7b485308f00db6ec951d52
SHA1:17adc71ab8262bc3eaa7ebf08dd79057bca8df10
SHA256:e00fae4228737ed6923f53d887a9deaa8f38969d187845536c3e351abadb695d

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Malware Configuration

Threatname: Agenttesla

{"Username: ": " 5gZyh", "URL: ": "", "To: ": "", "ByHost: ": "smtp.siamzime.com:587", "Password: ": " fhptkSwE4XR", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.800353964.0000000003BD0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.805567331.0000000004D20000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2446894586.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.801084299.0000000003DEF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.NcVke2zCHP.exe.4d20000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.NcVke2zCHP.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.NcVke2zCHP.exe.4d20000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: NcVke2zCHP.exeAvira: detected
                  Found malware configurationShow sources
                  Source: NcVke2zCHP.exe.4936.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": " 5gZyh", "URL: ": "", "To: ": "", "ByHost: ": "smtp.siamzime.com:587", "Password: ": " fhptkSwE4XR", "From: ": ""}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: NcVke2zCHP.exeVirustotal: Detection: 52%Perma Link
                  Source: NcVke2zCHP.exeMetadefender: Detection: 45%Perma Link
                  Source: NcVke2zCHP.exeReversingLabs: Detection: 77%
                  Machine Learning detection for sampleShow sources
                  Source: NcVke2zCHP.exeJoe Sandbox ML: detected
                  Source: 0.0.NcVke2zCHP.exe.c40000.0.unpackAvira: Label: TR/Injector.rfwry
                  Source: 2.2.NcVke2zCHP.exe.c40000.1.unpackAvira: Label: TR/Injector.rfwry
                  Source: 2.0.NcVke2zCHP.exe.c40000.0.unpackAvira: Label: TR/Injector.rfwry
                  Source: 0.2.NcVke2zCHP.exe.c40000.0.unpackAvira: Label: TR/Injector.rfwry

                  Networking:

                  barindex
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: checkip.amazonaws.com
                  Source: unknownDNS query: name: checkip.amazonaws.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: smtp.siamzime.com
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.comx&
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://h7SA1eacSaRKowz74vj.com
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/D
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/P
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/D
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/P

                  Source: NcVke2zCHP.exe, 00000000.00000002.796331973.00000000008F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                  Source: Process Memory Space: NcVke2zCHP.exe PID: 4936, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                  Yara detected Agent Tesla TrojanShow sources
                  Source: Yara matchFile source: 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NcVke2zCHP.exe PID: 4936, type: MEMORY
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 0_2_02870054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_02870054
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06050562 NtQuerySystemInformation,2_2_06050562
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06050531 NtQuerySystemInformation,2_2_06050531
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 0_2_00C43A500_2_00C43A50
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 0_2_025B00C80_2_025B00C8
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 0_2_025B0A880_2_025B0A88
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 0_2_025B00B70_2_025B00B7
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 0_2_025B10E80_2_025B10E8
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_00C43A502_2_00C43A50
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063BA2102_2_063BA210
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063BF2082_2_063BF208
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063BD6582_2_063BD658
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063BB8482_2_063BB848
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063B90C82_2_063B90C8
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063BD1382_2_063BD138
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063BF4182_2_063BF418
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06620A132_2_06620A13
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_066200702_2_06620070
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662153D2_2_0662153D
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662AA6C2_2_0662AA6C
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662AA752_2_0662AA75
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06620EE92_2_06620EE9
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06620EF22_2_06620EF2
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662AEFA2_2_0662AEFA
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_066232862_2_06623286
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662328F2_2_0662328F
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662AF032_2_0662AF03
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06629B002_2_06629B00
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06626FA02_2_06626FA0
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06626F972_2_06626F97
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_066200062_2_06620006
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_066270D32_2_066270D3
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662B9752_2_0662B975
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662B97E2_2_0662B97E
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067200702_2_06720070
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067268482_2_06726848
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067244202_2_06724420
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06723EF02_2_06723EF0
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067248F82_2_067248F8
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067236C82_2_067236C8
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067256902_2_06725690
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067209702_2_06720970
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06724F382_2_06724F38
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067265382_2_06726538
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06727DE82_2_06727DE8
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067283902_2_06728390
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067204632_2_06720463
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067268382_2_06726838
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067244102_2_06724410
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067200072_2_06720007
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06723EE02_2_06723EE0
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067248E92_2_067248E9
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06720AC42_2_06720AC4
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067236B82_2_067236B8
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06724F282_2_06724F28
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067265282_2_06726528
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06727D282_2_06727D28
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067201B12_2_067201B1
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06727F9A2_2_06727F9A
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067283802_2_06728380
                  Source: NcVke2zCHP.exe, 00000000.00000002.796331973.00000000008F0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000000.00000002.800353964.0000000003BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000000.00000002.800353964.0000000003BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000000.00000002.800353964.0000000003BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJOYXTBGHGWITQSXUYEBRDQTQIPETVYLWVFYXFSRY_20190402011402081.exe4 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000000.00000000.765649083.0000000000CEE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebig.exe8 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000000.00000002.797049209.0000000002790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exeBinary or memory string: OriginalFilename vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2453303088.00000000062B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000000.795457244.0000000000CEE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebig.exe8 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2453269404.0000000006260000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2453602326.0000000006630000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2451882874.0000000005C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2450970034.0000000005830000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2453558664.0000000006610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2446894586.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exe, 00000002.00000002.2446894586.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameJOYXTBGHGWITQSXUYEBRDQTQIPETVYLWVFYXFSRY_20190402011402081.exe4 vs NcVke2zCHP.exe
                  Source: NcVke2zCHP.exeBinary or memory string: OriginalFilenamebig.exe8 vs NcVke2zCHP.exe
                  Source: 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                  Source: Process Memory Space: NcVke2zCHP.exe PID: 4936, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                  Source: NcVke2zCHP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: NcVke2zCHP.exe, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.NcVke2zCHP.exe.c40000.0.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.NcVke2zCHP.exe.c40000.0.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.NcVke2zCHP.exe.c40000.1.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.0.NcVke2zCHP.exe.c40000.0.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_060503E6 AdjustTokenPrivileges,2_2_060503E6
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_060503AF AdjustTokenPrivileges,2_2_060503AF
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NcVke2zCHP.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: NcVke2zCHP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: NcVke2zCHP.exeVirustotal: Detection: 52%
                  Source: NcVke2zCHP.exeMetadefender: Detection: 45%
                  Source: NcVke2zCHP.exeReversingLabs: Detection: 77%
                  Source: unknownProcess created: C:\Users\user\Desktop\NcVke2zCHP.exe 'C:\Users\user\Desktop\NcVke2zCHP.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\NcVke2zCHP.exe C:\Users\user\Desktop\NcVke2zCHP.exe
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess created: C:\Users\user\Desktop\NcVke2zCHP.exe C:\Users\user\Desktop\NcVke2zCHP.exeJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: NcVke2zCHP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: NcVke2zCHP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: NcVke2zCHP.exe, 00000000.00000002.800353964.0000000003BD0000.00000004.00000001.sdmp, NcVke2zCHP.exe, 00000002.00000002.2453269404.0000000006260000.00000004.00000001.sdmp
                  Source: Binary string: mscorrc.pdb source: NcVke2zCHP.exe, 00000000.00000002.797049209.0000000002790000.00000002.00000001.sdmp, NcVke2zCHP.exe, 00000002.00000002.2453303088.00000000062B0000.00000002.00000001.sdmp

                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_063B414C push esp; ret 2_2_063B414D
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_0662C64E push es; retf 2_2_0662C654
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_067218BF push ss; retf 2_2_067218C0
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06722705 push es; ret 2_2_06722710
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.9941617205

                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeWindow / User API: threadDelayed 456Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 4416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 3064Thread sleep count: 456 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 3064Thread sleep time: -456000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 620Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 620Thread sleep count: 112 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 620Thread sleep time: -112000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 5048Thread sleep count: 256 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 5048Thread sleep time: -128000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 620Thread sleep count: 53 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exe TID: 620Thread sleep count: 32 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeLast function: Thread delayed
                  Source: NcVke2zCHP.exe, 00000002.00000002.2451882874.0000000005C70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: NcVke2zCHP.exe, 00000002.00000002.2451882874.0000000005C70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: NcVke2zCHP.exe, 00000002.00000002.2451882874.0000000005C70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: NcVke2zCHP.exe, 00000002.00000002.2451882874.0000000005C70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess information queried: ProcessInformationJump to behavior

                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 2_2_06723C08 LdrInitializeThunk,2_2_06723C08
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Contains functionality to inject code into remote processesShow sources
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeCode function: 0_2_02870054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_02870054
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeMemory written: C:\Users\user\Desktop\NcVke2zCHP.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeProcess created: C:\Users\user\Desktop\NcVke2zCHP.exe C:\Users\user\Desktop\NcVke2zCHP.exeJump to behavior
                  Source: NcVke2zCHP.exe, 00000002.00000002.2448593257.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: NcVke2zCHP.exe, 00000002.00000002.2448593257.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: NcVke2zCHP.exe, 00000002.00000002.2448593257.0000000001C60000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
                  Source: NcVke2zCHP.exe, 00000002.00000002.2448593257.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock

                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.800353964.0000000003BD0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.805567331.0000000004D20000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2446894586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.801084299.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NcVke2zCHP.exe PID: 4936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NcVke2zCHP.exe PID: 3024, type: MEMORY
                  Source: Yara matchFile source: 0.2.NcVke2zCHP.exe.4d20000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.NcVke2zCHP.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.NcVke2zCHP.exe.4d20000.2.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\NcVke2zCHP.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 00000002.00000002.2450011937.0000000003560000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NcVke2zCHP.exe PID: 4936, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.800353964.0000000003BD0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.805567331.0000000004D20000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2446894586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.801084299.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NcVke2zCHP.exe PID: 4936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NcVke2zCHP.exe PID: 3024, type: MEMORY
                  Source: Yara matchFile source: 0.2.NcVke2zCHP.exe.4d20000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.NcVke2zCHP.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.NcVke2zCHP.exe.4d20000.2.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation111Winlogon Helper DLLAccess Token Manipulation1Software Packing3Credential Dumping2Security Software Discovery11Remote File Copy1Data from Local System2Data Encrypted11Remote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection212Disabling Security Tools1Input Capture1File and Directory Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Windows Remote ManagementInput Capture1Automated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
                  Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
                  Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection212Bash HistorySystem Network Configuration Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet