Loading ...

Play interactive tourEdit tour

Analysis Report 2BCn067ZPT

Overview

General Information

Sample Name:2BCn067ZPT (renamed file extension from none to exe)
MD5:a2ba1958899ead80ff3646555c42f08d
SHA1:ef301eef22295618cdf38cd2a9059ee2c1e6b8b3
SHA256:d46615754e00e004d683ff2ad5de9bca976db9d110b43e0ab0f5ae35c652fab7

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 2BCn067ZPT.exe (PID: 4460 cmdline: 'C:\Users\user\Desktop\2BCn067ZPT.exe' MD5: A2BA1958899EAD80FF3646555C42F08D)
    • netsh.exe (PID: 3144 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
2BCn067ZPT.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    .textJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1480132302.0000000000B02000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000000.1048194121.0000000000B02000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1482830536.0000000003110000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Process Memory Space: 2BCn067ZPT.exe PID: 4460JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.2BCn067ZPT.exe.b00000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.2BCn067ZPT.exe.b00000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview


                    System Summary:

                    barindex
                    Sigma detected: Capture Wi-Fi passwordShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\Desktop\2BCn067ZPT.exe' , ParentImage: C:\Users\user\Desktop\2BCn067ZPT.exe, ParentProcessId: 4460, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 3144

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: 2BCn067ZPT.exeAvira: detected
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: 2BCn067ZPT.exeVirustotal: Detection: 61%Perma Link
                    Source: 2BCn067ZPT.exeReversingLabs: Detection: 83%
                    Machine Learning detection for sampleShow sources
                    Source: 2BCn067ZPT.exeJoe Sandbox ML: detected

                    Source: unknownDNS traffic detected: query: tworiversterminal.us replaycode: Server failure (2)
                    Source: unknownDNS traffic detected: queries for: tworiversterminal.us
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmpString found in binary or memory: http://tworiversterminal.us
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmpString found in binary or memory: http://tworiversterminal.us/life/inc/6f6bcbefaf52d3.php
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmpString found in binary or memory: http://tworiversterminal.usx&Up
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmpString found in binary or memory: https://g1PoqGpW4VDRf.com
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\2BCn067ZPT.exeJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    Spam, unwanted Advertisements and Ransom Demands:

                    barindex
                    Modifies the hosts fileShow sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary:

                    barindex
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_011DB362 NtQuerySystemInformation,0_2_011DB362
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_011DB331 NtQuerySystemInformation,0_2_011DB331
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_054E00060_2_054E0006
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_054EF2980_2_054EF298
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_054EEB4C0_2_054EEB4C
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_054EEB750_2_054EEB75
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_054EF2750_2_054EF275
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_054EF2300_2_054EF230
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F004E80_2_05F004E8
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F000700_2_05F00070
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F0E8580_2_05F0E858
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F0F8300_2_05F0F830
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F01B010_2_05F01B01
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F0EE880_2_05F0EE88
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F005660_2_05F00566
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F004E00_2_05F004E0
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F004E40_2_05F004E4
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F004D80_2_05F004D8
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F004DC0_2_05F004DC
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F000640_2_05F00064
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F000060_2_05F00006
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F01BE00_2_05F01BE0
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F0DEB00_2_05F0DEB0
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06020A280_2_06020A28
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060230480_2_06023048
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060222700_2_06022270
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060200700_2_06020070
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060203900_2_06020390
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06020C980_2_06020C98
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06023AA00_2_06023AA0
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06021CA90_2_06021CA9
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06021EB80_2_06021EB8
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060241CB0_2_060241CB
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060210F00_2_060210F0
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_0602071E0_2_0602071E
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06020A2C0_2_06020A2C
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06020A340_2_06020A34
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060200630_2_06020063
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06024C630_2_06024C63
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060222610_2_06022261
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06024C700_2_06024C70
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060203800_2_06020380
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_060203840_2_06020384
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06020C880_2_06020C88
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_0602078E0_2_0602078E
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_0602038D0_2_0602038D
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06020C8D0_2_06020C8D
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06020C900_2_06020C90
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_06021EA90_2_06021EA9
                    Source: 2BCn067ZPT.exeBinary or memory string: OriginalFilename vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1484850692.0000000005430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1486008079.0000000005ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1486043059.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1480132302.0000000000B02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefWgBKOKZFsMHGLShHNRvObpymvamkrPYBO.exe4 vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1486102952.0000000005FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1485173747.0000000005930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exeBinary or memory string: OriginalFilenamefWgBKOKZFsMHGLShHNRvObpymvamkrPYBO.exe4 vs 2BCn067ZPT.exe
                    Source: 2BCn067ZPT.exe, vko.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2BCn067ZPT.exe, vko.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.0.2BCn067ZPT.exe.b00000.0.unpack, vko.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.0.2BCn067ZPT.exe.b00000.0.unpack, vko.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.2BCn067ZPT.exe.b00000.0.unpack, vko.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.2BCn067ZPT.exe.b00000.0.unpack, vko.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@4/4@7/0
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_011DB1E6 AdjustTokenPrivileges,0_2_011DB1E6
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_011DB1AF AdjustTokenPrivileges,0_2_011DB1AF
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile created: C:\Users\user\AppData\Roaming\zsuwa3n1.jqqJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_01
                    Source: 2BCn067ZPT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: 2BCn067ZPT.exeVirustotal: Detection: 61%
                    Source: 2BCn067ZPT.exeReversingLabs: Detection: 83%
                    Source: unknownProcess created: C:\Users\user\Desktop\2BCn067ZPT.exe 'C:\Users\user\Desktop\2BCn067ZPT.exe'
                    Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: 2BCn067ZPT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: 2BCn067ZPT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: mscorrc.pdb source: 2BCn067ZPT.exe, 00000000.00000002.1486102952.0000000005FC0000.00000002.00000001.sdmp

                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B02AB0 push ds; retf 0_2_00B02A99
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B052A1 push ds; iretd 0_2_00B052A2
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B054E3 pushfd ; retf 0_2_00B054E6
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B058D9 pushad ; ret 0_2_00B058DE
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B0364D push ebp; ret 0_2_00B03651
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B05984 push cs; iretd 0_2_00B05987
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B071FE pushfd ; iretd 0_2_00B07217
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B05332 push esp; ret 0_2_00B05349
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B0676B push ss; ret 0_2_00B0676F
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B0215A push ecx; ret 0_2_00B0215F
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_00B03B4A push edi; retf 0_2_00B03B4C
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05D140A1 push ds; iretd 0_2_05D140A2
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05D1402D push ds; iretd 0_2_05D1402E

                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -59500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -59126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -58906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -58720s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -54094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -53220s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -51814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -51594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -50220s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -50000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -49814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -49594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -49406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -49094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -48906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -48688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -48500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -48220s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -47000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -46314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -45594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -68109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -45188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -45000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -66750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -44282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -44000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -42500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -42094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -40720s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -39406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -39094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -38688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -38500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -38000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -37406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -37000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -36814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -36282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -36094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -35688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -35000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -34814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -34094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -33406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -36000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -30750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -30141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -57594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -54500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -52906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -52688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -52500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -50906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -50500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -46500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -38282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -38094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -36594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -35314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -33094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -32906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -32500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -32188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -32000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -37500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -46000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exe TID: 3064Thread sleep time: -41000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1485173747.0000000005930000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1481018026.000000000116E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1485173747.0000000005930000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1485173747.0000000005930000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1485173747.0000000005930000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess information queried: ProcessInformationJump to behavior

                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeCode function: 0_2_05F0F528 LdrInitializeThunk,0_2_05F0F528
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Modifies the hosts fileShow sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1481335435.00000000017D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1481335435.00000000017D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1481335435.00000000017D0000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: 2BCn067ZPT.exe, 00000000.00000002.1481335435.00000000017D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings:

                    barindex
                    Modifies the hosts fileShow sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Uses netsh to modify the Windows network and firewall settingsShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 2BCn067ZPT.exe, type: SAMPLE
                    Source: Yara matchFile source: .text, type: SAMPLE
                    Source: Yara matchFile source: 00000000.00000002.1480132302.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1048194121.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1482830536.0000000003110000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 2BCn067ZPT.exe PID: 4460, type: MEMORY
                    Source: Yara matchFile source: 0.0.2BCn067ZPT.exe.b00000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2BCn067ZPT.exe.b00000.0.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal WLAN passwordsShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\2BCn067ZPT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: Process Memory Space: 2BCn067ZPT.exe PID: 4460, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 2BCn067ZPT.exe, type: SAMPLE
                    Source: Yara matchFile source: .text, type: SAMPLE
                    Source: Yara matchFile source: 00000000.00000002.1480132302.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1048194121.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1482830536.0000000003110000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483367987.0000000003298000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 2BCn067ZPT.exe PID: 4460, type: MEMORY
                    Source: Yara matchFile source: 0.0.2BCn067ZPT.exe.b00000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2BCn067ZPT.exe.b00000.0.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential Dumping2Virtualization/Sandbox Evasion13Application Deployment SoftwareEmail Collection1Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection12Disabling Security Tools11Input Capture11Process Discovery2Remote ServicesInput Capture11Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionFile and Directory Permissions Modification1Credentials in Registry1Security Software Discovery111Windows Remote ManagementData from Local System2Automated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion13Credentials in FilesRemote System Discovery1Logon ScriptsClipboard Data1Data EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
                    Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection12Brute ForceSystem Information Discovery114Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
                    Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.