Loading ...

Play interactive tourEdit tour

Analysis Report CmWU1G593f.exe

Overview

General Information

Sample Name:CmWU1G593f.exe
MD5:d58bd66c760d2e7a13b6a1fa225a2de1
SHA1:ca000d0fa5db92825cf76d21bff6fab2b2c8bc6a
SHA256:1739e22f179221f828244104d6aebe3f0df2c33935b8b4f2ee825454f9c75d73

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Malware Configuration

Threatname: Agenttesla

{"Username: ": " kad0fh8Nyoqql", "URL: ": "", "To: ": "", "ByHost: ": "smtp.skipper-spb.com:587", "Password: ": " cL5CtzUVs", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1099388736.0000000004C70000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1094053150.00000000039F0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1481855985.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security
          00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.CmWU1G593f.exe.4c70000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.CmWU1G593f.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.CmWU1G593f.exe.4c70000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: CmWU1G593f.exeAvira: detected
                  Found malware configurationShow sources
                  Source: CmWU1G593f.exe.2532.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": " kad0fh8Nyoqql", "URL: ": "", "To: ": "", "ByHost: ": "smtp.skipper-spb.com:587", "Password: ": " cL5CtzUVs", "From: ": ""}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: CmWU1G593f.exeVirustotal: Detection: 34%Perma Link
                  Source: CmWU1G593f.exeMetadefender: Detection: 40%Perma Link
                  Source: CmWU1G593f.exeReversingLabs: Detection: 74%
                  Machine Learning detection for sampleShow sources
                  Source: CmWU1G593f.exeJoe Sandbox ML: detected
                  Source: 2.2.CmWU1G593f.exe.dc0000.1.unpackAvira: Label: TR/Injector.ncmib
                  Source: 0.0.CmWU1G593f.exe.dc0000.0.unpackAvira: Label: TR/Injector.ncmib
                  Source: 2.0.CmWU1G593f.exe.dc0000.0.unpackAvira: Label: TR/Injector.ncmib
                  Source: 0.2.CmWU1G593f.exe.dc0000.1.unpackAvira: Label: TR/Injector.ncmib

                  Networking:

                  barindex
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: checkip.amazonaws.com
                  Source: unknownDNS query: name: checkip.amazonaws.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: smtp.skipper-spb.com
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://0ksd89qErgrCsDGj0gZD.org
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.comx&Up
                  Source: CmWU1G593f.exe, 00000002.00000002.1482761600.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/D
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/P
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/D
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/P
                  Source: CmWU1G593f.exe, 00000002.00000002.1482761600.000000000071B000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/content/images/icons/Favicon_EdgeStart.ico
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp
                  Source: CmWU1G593f.exe, 00000002.00000002.1482761600.000000000071B000.00000004.00000020.sdmp, CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientpD
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientpP

                  Source: CmWU1G593f.exe, 00000000.00000002.1089499664.0000000000190000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                  Source: Process Memory Space: CmWU1G593f.exe PID: 2532, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                  Yara detected Agent Tesla TrojanShow sources
                  Source: Yara matchFile source: 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CmWU1G593f.exe PID: 2532, type: MEMORY
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_054D0562 NtQuerySystemInformation,2_2_054D0562
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_054D0531 NtQuerySystemInformation,2_2_054D0531
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 0_2_00DC3A4C0_2_00DC3A4C
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 0_2_003C10E80_2_003C10E8
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 0_2_003C00C80_2_003C00C8
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 0_2_003C00B70_2_003C00B7
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_00DC3A4C2_2_00DC3A4C
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_0583B9802_2_0583B980
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_058391C82_2_058391C8
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_0583D7F02_2_0583D7F0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_0583A3402_2_0583A340
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_0583F4C02_2_0583F4C0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_058352E02_2_058352E0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB15BE2_2_05AB15BE
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05ABD4782_2_05ABD478
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB3FC12_2_05AB3FC1
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB81CC2_2_05AB81CC
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB65D82_2_05AB65D8
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB81D52_2_05AB81D5
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB088F2_2_05AB088F
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB93022_2_05AB9302
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB82CE2_2_05AB82CE
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB0A142_2_05AB0A14
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB76672_2_05AB7667
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC6BE02_2_05AC6BE0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC3DF02_2_05AC3DF0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC4DC02_2_05AC4DC0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC35D82_2_05AC35D8
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC09202_2_05AC0920
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC55302_2_05AC5530
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC81702_2_05AC8170
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC47482_2_05AC4748
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC7B482_2_05AC7B48
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC62E02_2_05AC62E0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC42C82_2_05AC42C8
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC28C02_2_05AC28C0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC66202_2_05AC6620
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC4DB12_2_05AC4DB1
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC3DE02_2_05AC3DE0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC6DC62_2_05AC6DC6
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC19DB2_2_05AC19DB
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC6BD02_2_05AC6BD0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC7D252_2_05AC7D25
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC55212_2_05AC5521
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC47382_2_05AC4738
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC81622_2_05AC8162
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC0D5E2_2_05AC0D5E
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC42B82_2_05AC42B8
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC28B02_2_05AC28B0
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC22E22_2_05AC22E2
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC62D12_2_05AC62D1
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC0A282_2_05AC0A28
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC12182_2_05AC1218
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC66102_2_05AC6610
                  Source: CmWU1G593f.exe, 00000000.00000002.1090643732.0000000000E6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeme.exe8 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000000.00000002.1090037268.0000000000690000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000000.00000002.1094053150.00000000039F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000000.00000002.1094053150.00000000039F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000000.00000002.1094053150.00000000039F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHRUFQENYOYSCZCFUGCQCHUYELQXRYUMYUCUVRVMP_20190402012204894.exe4 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000000.00000002.1089499664.0000000000190000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs CmWU1G593f.exe
                  Source: CmWU1G593f.exeBinary or memory string: OriginalFilename vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1483471782.0000000000E6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeme.exe8 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1487865386.0000000005AA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1487532319.0000000005740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1487750778.0000000005820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1485856924.0000000004CB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1486150618.00000000050F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1481855985.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exe, 00000002.00000002.1481855985.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHRUFQENYOYSCZCFUGCQCHUYELQXRYUMYUCUVRVMP_20190402012204894.exe4 vs CmWU1G593f.exe
                  Source: CmWU1G593f.exeBinary or memory string: OriginalFilenameeme.exe8 vs CmWU1G593f.exe
                  Source: 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                  Source: Process Memory Space: CmWU1G593f.exe PID: 2532, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                  Source: CmWU1G593f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: CmWU1G593f.exe, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.CmWU1G593f.exe.dc0000.0.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.CmWU1G593f.exe.dc0000.1.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.CmWU1G593f.exe.dc0000.1.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.0.CmWU1G593f.exe.dc0000.0.unpack, eEhDz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_054D03E6 AdjustTokenPrivileges,2_2_054D03E6
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_054D03AF AdjustTokenPrivileges,2_2_054D03AF
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CmWU1G593f.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: CmWU1G593f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: CmWU1G593f.exeVirustotal: Detection: 34%
                  Source: CmWU1G593f.exeMetadefender: Detection: 40%
                  Source: CmWU1G593f.exeReversingLabs: Detection: 74%
                  Source: unknownProcess created: C:\Users\user\Desktop\CmWU1G593f.exe 'C:\Users\user\Desktop\CmWU1G593f.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\CmWU1G593f.exe C:\Users\user\Desktop\CmWU1G593f.exe
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess created: C:\Users\user\Desktop\CmWU1G593f.exe C:\Users\user\Desktop\CmWU1G593f.exeJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: CmWU1G593f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: CmWU1G593f.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: CmWU1G593f.exe, 00000000.00000002.1094053150.00000000039F0000.00000004.00000001.sdmp, CmWU1G593f.exe, 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmp
                  Source: Binary string: mscorrc.pdb source: CmWU1G593f.exe, 00000000.00000002.1090037268.0000000000690000.00000002.00000001.sdmp, CmWU1G593f.exe, 00000002.00000002.1487532319.0000000005740000.00000002.00000001.sdmp

                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05832161 push esp; ret 2_2_05832175
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AC5FBE push 69FFFFFFh; ret 2_2_05AC5FC3
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.99460943937

                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exe TID: 4736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exe TID: 4344Thread sleep count: 95 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exe TID: 4344Thread sleep time: -95000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exe TID: 4168Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeLast function: Thread delayed
                  Source: CmWU1G593f.exe, 00000002.00000002.1486150618.00000000050F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: CmWU1G593f.exe, 00000002.00000002.1486150618.00000000050F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: CmWU1G593f.exe, 00000002.00000002.1486150618.00000000050F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: CmWU1G593f.exe, 00000002.00000002.1482761600.000000000071B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: CmWU1G593f.exe, 00000002.00000002.1486150618.00000000050F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess information queried: ProcessInformationJump to behavior

                  Source: C:\Users\user\Desktop\CmWU1G593f.exeCode function: 2_2_05AB9BA2 LdrInitializeThunk,2_2_05AB9BA2
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeMemory written: C:\Users\user\Desktop\CmWU1G593f.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeProcess created: C:\Users\user\Desktop\CmWU1G593f.exe C:\Users\user\Desktop\CmWU1G593f.exeJump to behavior
                  Source: CmWU1G593f.exe, 00000002.00000002.1483491081.0000000001010000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: CmWU1G593f.exe, 00000002.00000002.1483491081.0000000001010000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: CmWU1G593f.exe, 00000002.00000002.1483491081.0000000001010000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: CmWU1G593f.exe, 00000002.00000002.1483491081.0000000001010000.00000002.00000001.sdmpBinary or memory string: Progmanlock

                  Source: C:\Users\user\Desktop\CmWU1G593f.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.1099388736.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1094053150.00000000039F0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1481855985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1094839789.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CmWU1G593f.exe PID: 5888, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CmWU1G593f.exe PID: 2532, type: MEMORY
                  Source: Yara matchFile source: 0.2.CmWU1G593f.exe.4c70000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.CmWU1G593f.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CmWU1G593f.exe.4c70000.2.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\CmWU1G593f.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 00000002.00000002.1484923745.0000000002910000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CmWU1G593f.exe PID: 2532, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.1099388736.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1094053150.00000000039F0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1481855985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1094839789.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CmWU1G593f.exe PID: 5888, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CmWU1G593f.exe PID: 2532, type: MEMORY
                  Source: Yara matchFile source: 0.2.CmWU1G593f.exe.4c70000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.CmWU1G593f.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CmWU1G593f.exe.4c70000.2.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation111Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential Dumping2Virtualization/Sandbox Evasion3Remote File Copy1Email Collection1Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection112Software Packing3Input Capture1Process Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Credentials in Registry1Security Software Discovery11Windows Remote ManagementData from Local System2Automated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion3Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
                  Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection112Brute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
                  Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionSystem Information Discovery114Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information2Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet