Loading ...

Play interactive tourEdit tour

Analysis Report Scan20200623153138 HSBC Bank swift ,pdf.exe

Overview

General Information

Sample Name:Scan20200623153138 HSBC Bank swift ,pdf.exe
MD5:31c8904ca6c1785bee7383340065297a
SHA1:b48911ebdb9eaf5037c03acf223be6c3d6b55dd9
SHA256:d3021d0d900bc1384f788e16f01e093775a5a3bf9a09e0c14dfe5c2512dde2d4

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Scan20200623153138 HSBC Bank swift ,pdf.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe' MD5: 31C8904CA6C1785BEE7383340065297A)
    • schtasks.exe (PID: 5628 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "ZbnyGg4w", "URL: ": "https://p0GDh8EEsGdZWgZD.org", "To: ": "", "ByHost: ": "mail.macrosyselectronics.in:5878", "Password: ": "qnGJIABB", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1106948598.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.443473988.0000000003CA3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.443913160.0000000003DC8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Scan20200623153138 HSBC Bank swift ,pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe' , ParentImage: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe, ParentProcessId: 5524, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp', ProcessId: 5628

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe.5676.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "ZbnyGg4w", "URL: ": "https://p0GDh8EEsGdZWgZD.org", "To: ": "", "ByHost: ": "mail.macrosyselectronics.in:5878", "Password: ": "qnGJIABB", "From: ": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\NepvtZyh.exeVirustotal: Detection: 31%Perma Link
              Source: C:\Users\user\AppData\Roaming\NepvtZyh.exeReversingLabs: Detection: 70%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeVirustotal: Detection: 31%Perma Link
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeReversingLabs: Detection: 70%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\NepvtZyh.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeJoe Sandbox ML: detected
              Source: 4.2.Scan20200623153138 HSBC Bank swift ,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.7:49717 -> 166.62.25.253:587
              Source: global trafficTCP traffic: 192.168.2.7:49717 -> 166.62.25.253:587
              Source: unknownDNS traffic detected: queries for: mail.macrosyselectronics.in
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmpString found in binary or memory: http://mail.macrosyselectronics.in
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.440085034.0000000002B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmp, Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000003.581619663.0000000000F64000.00000004.00000001.sdmpString found in binary or memory: https://p0GDh8EEsGdZWgZD.org

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E4E5C SetWindowsHookExW 0000000D,00000000,?,?
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 0_2_0292C4D4
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 0_2_0292EAD8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 0_2_0292EAC8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02CFFBA8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02CFFB93
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9F278
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D90040
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D98120
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9E660
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9E9A8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D92F40
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D91D44
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D97340
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D90007
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D98111
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D97799
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9771E
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D92E51
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D93C11
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E12E0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EA6F0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E2BF8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB7F0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED020
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB050
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E28A0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ECC88
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E4498
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E20C8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E1508
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E4E2D
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E0A18
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB2B8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EA683
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EA6E0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E12D2
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E1B20
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E1B30
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E57B7
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E5B84
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED398
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E2BEA
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB7E0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E0830
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED018
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ECC78
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E2890
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E58F2
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED0C4
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED4DA
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E312A
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E3138
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED11B
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED140
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED181
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E45E5
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E32D0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E1808
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E0892
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E32A7
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063ED038
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: NepvtZyh.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.443473988.0000000003CA3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepeview.exe> vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000000.417382688.0000000000632000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAndroidCar.dll6 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.440085034.0000000002B10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehQRlZqZubAOentauwsauZPuvEAzDYpjkv.exe4 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.447958073.0000000006500000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.447958073.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.437966456.00000000006B5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameJvShSnAStfC.exe: vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.447487646.0000000006410000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107372516.0000000000AC5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameJvShSnAStfC.exe: vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107118836.0000000000448000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamehQRlZqZubAOentauwsauZPuvEAzDYpjkv.exe4 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107666752.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107188000.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAndroidCar.dll6 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113055287.0000000006300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113189532.0000000006340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113016508.00000000062F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeBinary or memory string: OriginalFilenameAndroidCar.dll6 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeBinary or memory string: OriginalFilenameJvShSnAStfC.exe: vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: NepvtZyh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: C:\Users\user\AppData\Roaming\NepvtZyh.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8F05.tmpJump to behavior
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeVirustotal: Detection: 31%
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeReversingLabs: Detection: 70%
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe 'C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe {path}
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe {path}
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E6D6E push edx; retf
              Source: initial sampleStatic PE information: section name: .text entropy: 7.68639163252
              Source: initial sampleStatic PE information: section name: .text entropy: 7.68639163252

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: \scan20200623153138 hsbc bank swift ,pdf.exe
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: \scan20200623153138 hsbc bank swift ,pdf.exe
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: C:\Users\user\AppData\Roaming\NepvtZyh.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWindow / User API: threadDelayed 1197
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 5528Thread sleep time: -33000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 5584Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6040Thread sleep count: 155 > 30
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6040Thread sleep count: 1197 > 30
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -54906s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -54686s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -54094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53780s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53374s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52686s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52468s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52280s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52062s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -77109s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -76500s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50500s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50280s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -74391s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49374s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49186s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48968s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48780s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48280s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48062s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -47874s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46968s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46280s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45186s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44280s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -43874s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -87188s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -43156s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42968s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42780s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -62109s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -41186s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40468s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40280s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56859s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37686s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37186s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36562s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36374s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -35656s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -51750s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -51000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33780s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -67188s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32874s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32468s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32280s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48141s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31874s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31686s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31374s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31156s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -30968s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44859s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -59000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42141s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -38250s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32391s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -77391s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -43406s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -62391s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -41000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -39500s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -58500s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36891s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -34641s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -58906s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -58688s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -87750s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55500s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -78282s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -51782s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50688s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49406s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48720s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48188s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -47594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45906s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44688s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40688s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -60750s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -60423s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -39906s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36188s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31188s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -30594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -59814s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -59594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -57782s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -57594s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56876s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56688s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55970s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55782s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -38000s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37814s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36688s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36500s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -35782s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33814s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33094s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32688s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31782s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -30814s >= -30000s
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeLast function: Thread delayed
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113615002.00000000065B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information queried: ProcessInformation

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EEAD8 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeMemory allocated: page read and write | page guard

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe {path}
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.1106948598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.443473988.0000000003CA3000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.443913160.0000000003DC8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan20200623153138 HSBC Bank swift ,pdf.exe PID: 5524, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan20200623153138 HSBC Bank swift ,pdf.exe PID: 5676, type: MEMORY
              Source: Yara matchFile source: 4.2.Scan20200623153138 HSBC Bank swift ,pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: Yara matchFile source: 00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan20200623153138 HSBC Bank swift ,pdf.exe PID: 5676, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.1106948598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.443473988.0000000003CA3000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.443913160.0000000003DC8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan20200623153138 HSBC Bank swift ,pdf.exe PID: 5524, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Scan20200623153138 HSBC Bank swift ,pdf.exe PID: 5676, type: MEMORY
              Source: Yara matchFile source: 4.2.Scan20200623153138 HSBC Bank swift ,pdf.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task1Process Injection12Software Packing3Credential Dumping2Security Software Discovery211Application Deployment SoftwareData from Local System2Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaScheduled Task1Port MonitorsScheduled Task1Disabling Security Tools1Input Capture21File and Directory Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Credentials in Registry1System Information Discovery114Windows Remote ManagementInput Capture21Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesVirtualization/Sandbox Evasion13Logon ScriptsClipboard Data1Data EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion13Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection12Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 241932