Loading ...

Play interactive tourEdit tour

Analysis Report Scan_Report_xlxs_.bin

Overview

General Information

Sample Name:Scan_Report_xlxs_.bin (renamed file extension from bin to exe)
MD5:21500d1b112efdc1dfc5b897659232e3
SHA1:65cd948f5db64a26010511708442c1aafd2235f1
SHA256:7b8323706153564b0355a421a3de33ee25da4fecb9e889e6939a4bf48c407eb9

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Scan_Report_xlxs_.exe (PID: 552 cmdline: 'C:\Users\user\Desktop\Scan_Report_xlxs_.exe' MD5: 21500D1B112EFDC1DFC5B897659232E3)
    • Scan_Report_xlxs_.exe (PID: 4548 cmdline: {path} MD5: 21500D1B112EFDC1DFC5B897659232E3)
      • netsh.exe (PID: 5016 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "3ZAv3k5BVzg9Po", "URL: ": "https://RhrtihtowVSN8yVh8t.com", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "MsnqdL", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1479008604.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1062946627.0000000003DA0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.1481674893.00000000031C0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: Scan_Report_xlxs_.exe PID: 552JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Scan_Report_xlxs_.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\Scan_Report_xlxs_.exe, ParentProcessId: 4548, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 5016

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: Scan_Report_xlxs_.exeAvira: detected
              Found malware configurationShow sources
              Source: Scan_Report_xlxs_.exe.4548.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "3ZAv3k5BVzg9Po", "URL: ": "https://RhrtihtowVSN8yVh8t.com", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "MsnqdL", "From: ": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Scan_Report_xlxs_.exeVirustotal: Detection: 52%Perma Link
              Source: Scan_Report_xlxs_.exeReversingLabs: Detection: 41%
              Machine Learning detection for sampleShow sources
              Source: Scan_Report_xlxs_.exeJoe Sandbox ML: detected
              Source: 1.2.Scan_Report_xlxs_.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.6:49935 -> 77.88.21.158:587
              Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
              Source: global trafficTCP traffic: 192.168.2.6:49935 -> 77.88.21.158:587
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_014BA09A recv,1_2_014BA09A
              Source: unknownDNS traffic detected: queries for: smtp.yandex.com
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1064287598.0000000005096000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmp, Scan_Report_xlxs_.exe, 00000001.00000003.1155360007.0000000001024000.00000004.00000001.sdmpString found in binary or memory: https://RhrtihtowVSN8yVh8t.com
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Scan_Report_xlxs_.exeJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_014BB362 NtQuerySystemInformation,1_2_014BB362
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_014BB331 NtQuerySystemInformation,1_2_014BB331
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_028120400_2_02812040
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_028133900_2_02813390
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_028132E80_2_028132E8
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_028120F20_2_028120F2
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_0281265B0_2_0281265B
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06066A381_2_06066A38
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060606401_2_06060640
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060662C81_2_060662C8
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606834A1_2_0606834A
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06065B801_2_06065B80
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06066FE81_2_06066FE8
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606D7F01_2_0606D7F0
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06067C201_2_06067C20
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606A8F81_2_0606A8F8
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060655081_2_06065508
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606DD681_2_0606DD68
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060675C01_2_060675C0
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06061E161_2_06061E16
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060632381_2_06063238
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606328F1_2_0606328F
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060662B81_2_060662B8
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06068AF81_2_06068AF8
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06061B731_2_06061B73
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060647BF1_2_060647BF
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06067C021_2_06067C02
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606C02B1_2_0606C02B
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_060606401_2_06060640
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606C4E91_2_0606C4E9
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06065D001_2_06065D00
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06062DB91_2_06062DB9
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0640D6881_2_0640D688
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0640C7481_2_0640C748
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0640E4481_2_0640E448
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0640D1501_2_0640D150
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0640B5F81_2_0640B5F8
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_064000701_2_06400070
              Source: Scan_Report_xlxs_.exeBinary or memory string: OriginalFilename vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1062737890.0000000002DA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreEntity.dll6 vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1062737890.0000000002DA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAbYeBkQgzYsVBZUKWnpIeclSzakXdTAFXJCKMK.exe4 vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000000.00000002.1068926214.0000000007E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exeBinary or memory string: OriginalFilename vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1479101101.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameAbYeBkQgzYsVBZUKWnpIeclSzakXdTAFXJCKMK.exe4 vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1485272644.0000000006100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1485563701.0000000006180000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1483694605.0000000005580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1483774070.00000000056A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1485535654.0000000006170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Scan_Report_xlxs_.exe
              Source: Scan_Report_xlxs_.exeBinary or memory string: OriginalFilenameBdRCSwxIDJL.exe@ vs Scan_Report_xlxs_.exe
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeSection loaded: security.dllJump to behavior
              Source: Scan_Report_xlxs_.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: Scan_Report_xlxs_.exe, ClassAssignment/VWRVWVRKPMIRVMPRIVOR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.Scan_Report_xlxs_.exe.4c0000.0.unpack, ClassAssignment/VWRVWVRKPMIRVMPRIVOR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.Scan_Report_xlxs_.exe.4c0000.0.unpack, ClassAssignment/VWRVWVRKPMIRVMPRIVOR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.Scan_Report_xlxs_.exe.bd0000.1.unpack, ClassAssignment/VWRVWVRKPMIRVMPRIVOR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.0.Scan_Report_xlxs_.exe.bd0000.0.unpack, ClassAssignment/VWRVWVRKPMIRVMPRIVOR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@1/1
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_014BB1E6 AdjustTokenPrivileges,1_2_014BB1E6
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_014BB1AF AdjustTokenPrivileges,1_2_014BB1AF
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Scan_Report_xlxs_.exe.logJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3928:120:WilError_01
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeMutant created: \Sessions\1\BaseNamedObjects\VImiYvtLaP
              Source: Scan_Report_xlxs_.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Scan_Report_xlxs_.exeVirustotal: Detection: 52%
              Source: Scan_Report_xlxs_.exeReversingLabs: Detection: 41%
              Source: unknownProcess created: C:\Users\user\Desktop\Scan_Report_xlxs_.exe 'C:\Users\user\Desktop\Scan_Report_xlxs_.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Scan_Report_xlxs_.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess created: C:\Users\user\Desktop\Scan_Report_xlxs_.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Scan_Report_xlxs_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Scan_Report_xlxs_.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: CoreEntity.pdb source: Scan_Report_xlxs_.exe, 00000000.00000002.1062737890.0000000002DA0000.00000004.00000001.sdmp
              Source: Binary string: mscorrc.pdb source: Scan_Report_xlxs_.exe, 00000000.00000002.1068926214.0000000007E40000.00000002.00000001.sdmp, Scan_Report_xlxs_.exe, 00000001.00000002.1485272644.0000000006100000.00000002.00000001.sdmp

              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_004C955C push es; iretd 0_2_004C955E
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_004C92B9 push es; iretd 0_2_004C9540
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_004C9959 push es; iretd 0_2_004C995A
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 0_2_004C95B0 push es; iretd 0_2_004C95B2
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_00BD955C push es; iretd 1_2_00BD955E
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_00BD92B9 push es; iretd 1_2_00BD9540
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_00BD9959 push es; iretd 1_2_00BD995A
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_00BD95B0 push es; iretd 1_2_00BD95B2
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606D7F0 push es; retf 06D8h1_2_0606DD10
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606163C push ss; retf 1_2_0606163F
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06065A4E push eax; retf 1_2_06065A50
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06060EF2 pushfd ; retf 1_2_06060EF3
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06064709 push es; iretd 1_2_06064724
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606D750 push es; iretd 1_2_0606D76C
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_0606012D push FFFFFF8Bh; iretd 1_2_0606012F
              Source: initial sampleStatic PE information: section name: .text entropy: 7.89611523095

              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exe TID: 2992Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exe TID: 1684Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exe TID: 5136Thread sleep count: 85 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exe TID: 5136Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeLast function: Thread delayed
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1483774070.00000000056A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1483774070.00000000056A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1483774070.00000000056A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1483774070.00000000056A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeCode function: 1_2_06062FD2 LdrInitializeThunk,1_2_06062FD2
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeMemory written: C:\Users\user\Desktop\Scan_Report_xlxs_.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess created: C:\Users\user\Desktop\Scan_Report_xlxs_.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1480191359.0000000001880000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1480191359.0000000001880000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1480191359.0000000001880000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Scan_Report_xlxs_.exe, 00000001.00000002.1480191359.0000000001880000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.1479008604.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1062946627.0000000003DA0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1481674893.00000000031C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan_Report_xlxs_.exe PID: 552, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan_Report_xlxs_.exe PID: 4548, type: MEMORY
              Source: Yara matchFile source: 1.2.Scan_Report_xlxs_.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal WLAN passwordsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\Scan_Report_xlxs_.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: Process Memory Space: Scan_Report_xlxs_.exe PID: 4548, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.1479008604.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1062946627.0000000003DA0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1482095609.00000000032EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1481674893.00000000031C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan_Report_xlxs_.exe PID: 552, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan_Report_xlxs_.exe PID: 4548, type: MEMORY
              Source: Yara matchFile source: 1.2.Scan_Report_xlxs_.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation111Winlogon Helper DLLAccess Token Manipulation1Software Packing3Credential Dumping2Security Software Discovery11Remote File Copy1Data from Local System2Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection112Disabling Security Tools11Input Capture11File and Directory Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Windows Remote ManagementInput Capture11Automated ExfiltrationStandard Cryptographic Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsClipboard Data1Data EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 231911