Loading ...

Play interactive tourEdit tour

Analysis Report a.exe

Overview

General Information

Sample Name:a.exe
MD5:bd1d7b1535c92ce9720ce25c226cd2cd
SHA1:b89378ab5549d843a2979cfb022f7a8a15592e78
SHA256:bbeee9ee22f5b24bc2d6b020912cd93349160596328aa1d8903b0e56374bd7f6

Most interesting Screenshot:

Errors
  • Sigma syntax error: One detector has no map or list, Rule: Suspicious XOR Encoded PowerShell Command Line
  • Sigma syntax error: One detector has no map or list, Rule: Suspicious PowerShell Parent Process

Detection

AgentTesla
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • a.exe (PID: 5512 cmdline: 'C:\Users\user\Desktop\a.exe' MD5: BD1D7B1535C92CE9720CE25C226CD2CD)
    • a.exe (PID: 5580 cmdline: {path} MD5: BD1D7B1535C92CE9720CE25C226CD2CD)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "stqfKptrLv1", "URL: ": "https://OdkCLsZeefznAoeiIV.net", "To: ": "lozroyno@yandex.com", "ByHost: ": "mail.magicpharma.pt:587", "Password: ": "q08Qe", "From: ": "miguelcorreia@magicpharma.pt"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1172534337.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.758636626.0000000003F00000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1175683313.0000000002B70000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.1175683313.0000000002B70000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: a.exe PID: 5512JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.a.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: a.exe.5580.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "stqfKptrLv1", "URL: ": "https://OdkCLsZeefznAoeiIV.net", "To: ": "lozroyno@yandex.com", "ByHost: ": "mail.magicpharma.pt:587", "Password: ": "q08Qe", "From: ": "miguelcorreia@magicpharma.pt"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: a.exeVirustotal: Detection: 11%Perma Link
              Source: 2.2.a.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.5:49732 -> 96.125.160.29:587
              Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
              Source: global trafficTCP traffic: 192.168.2.5:49732 -> 96.125.160.29:587
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_00BAA09A recv,
              Source: unknownDNS traffic detected: queries for: mail.magicpharma.pt
              Source: a.exe, 00000002.00000002.1176656877.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: a.exe, 00000002.00000002.1176656877.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
              Source: a.exe, 00000002.00000002.1176656877.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: a.exe, 00000002.00000002.1176656877.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: a.exe, 00000002.00000002.1176656877.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: a.exe, 00000002.00000002.1176656877.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
              Source: a.exe, 00000002.00000002.1176656877.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
              Source: a.exe, 00000002.00000002.1175683313.0000000002B70000.00000004.00000001.sdmpString found in binary or memory: https://OdkCLsZeefznAoeiIV.net

              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_00BAB362 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_00BAB331 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\a.exeCode function: 0_2_029840C0
              Source: C:\Users\user\Desktop\a.exeCode function: 0_2_02982F67
              Source: C:\Users\user\Desktop\a.exeCode function: 0_2_029840AF
              Source: C:\Users\user\Desktop\a.exeCode function: 0_2_02984168
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E9E7C8
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E9D180
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E90014
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E9DD79
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E9D170
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E9D95B
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E9E7B8
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E90034
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_04E9DD05
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896190
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896D90
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0589A1A8
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896910
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896578
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0589CFB8
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0589A738
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05894B60
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0589AEB0
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0589DED8
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05899608
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0589E630
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896180
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_058995F8
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896901
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896568
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05893BB5
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05893F68
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_058996AF
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_058942BB
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_058972E0
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_058996E2
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896203
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05919179
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_059180E8
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05914428
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05918BBF
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05917BFF
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05915F30
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_059166C0
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05913A0A
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_059131E1
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0591195C
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05917147
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_059188FD
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05914417
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0591181B
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05911782
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_059133BE
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_059177AA
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05911BDE
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05915F20
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05911A9D
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05913638
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0591862B
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05FA3199
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05FA2A7A
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05FA0070
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05FA1218
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05FA0F08
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05FA0931
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05FA1209
              Source: a.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: a.exeBinary or memory string: OriginalFilename vs a.exe
              Source: a.exe, 00000000.00000002.760685643.0000000005310000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLazarus.exe4 vs a.exe
              Source: a.exe, 00000000.00000002.755032724.0000000002B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs a.exe
              Source: a.exe, 00000000.00000002.758636626.0000000003F00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebaXZCSNcHyuUpcqJnsTEKkXrNTVy.exe4 vs a.exe
              Source: a.exe, 00000000.00000002.754914493.00000000029B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAMD_Isotopes.dll: vs a.exe
              Source: a.exeBinary or memory string: OriginalFilename vs a.exe
              Source: a.exe, 00000002.00000002.1178638805.0000000005F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs a.exe
              Source: a.exe, 00000002.00000002.1178140848.00000000058A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs a.exe
              Source: a.exe, 00000002.00000002.1177484647.00000000052F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs a.exe
              Source: a.exe, 00000002.00000002.1178283103.0000000005900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs a.exe
              Source: a.exe, 00000002.00000002.1172534337.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamebaXZCSNcHyuUpcqJnsTEKkXrNTVy.exe4 vs a.exe
              Source: a.exe, 00000002.00000002.1178086244.0000000005880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs a.exe
              Source: a.exe, 00000002.00000002.1177513607.0000000005300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs a.exe
              Source: a.exeBinary or memory string: OriginalFilenamecjAOBsyNnijkxEJu.exe@ vs a.exe
              Source: C:\Users\user\Desktop\a.exeSection loaded: security.dll
              Source: a.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@3/3@1/1
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_00BAB1E6 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_00BAB1AF AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\a.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a.exe.logJump to behavior
              Source: C:\Users\user\Desktop\a.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: a.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\a.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\a.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\a.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\a.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\a.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\a.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\a.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: a.exeVirustotal: Detection: 11%
              Source: unknownProcess created: C:\Users\user\Desktop\a.exe 'C:\Users\user\Desktop\a.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\a.exe {path}
              Source: C:\Users\user\Desktop\a.exeProcess created: C:\Users\user\Desktop\a.exe {path}
              Source: C:\Users\user\Desktop\a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: C:\Users\user\Desktop\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: a.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\LCnSDVaAkU\src\obj\Debug\cjAOBsyNnijkxEJu.pdb source: a.exe
              Source: Binary string: mscorrc.pdb source: a.exe, 00000000.00000002.755032724.0000000002B30000.00000002.00000001.sdmp, a.exe, 00000002.00000002.1178140848.00000000058A0000.00000002.00000001.sdmp

              Source: C:\Users\user\Desktop\a.exeCode function: 0_2_0061760F push ds; ret
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_004D760F push ds; ret
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0589530A push esp; iretd
              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_0591CB5E push esp; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.90105496433

              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\a.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\a.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\a.exe TID: 5516Thread sleep time: -33000s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5572Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -55718s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -55000s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -47594s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -44500s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -44000s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -43406s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -43126s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -38906s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -38000s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -36000s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -35500s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -34000s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -31500s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -31312s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -30094s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -36189s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -59814s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -59626s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -59314s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -58938s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -58720s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -57720s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -57532s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -56438s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -56220s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -55720s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -55532s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -55314s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -54220s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -49126s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -45532s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -44438s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -44220s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -43314s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -42408s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -38908s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -35126s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -33032s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -31220s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -31032s >= -30000s
              Source: C:\Users\user\Desktop\a.exe TID: 5736Thread sleep time: -38500s >= -30000s
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\a.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\a.exeLast function: Thread delayed
              Source: a.exe, 00000002.00000002.1177513607.0000000005300000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: a.exe, 00000002.00000002.1177513607.0000000005300000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: a.exe, 00000002.00000002.1177513607.0000000005300000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: a.exe, 00000002.00000002.1177513607.0000000005300000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\a.exeProcess information queried: ProcessInformation

              Source: C:\Users\user\Desktop\a.exeCode function: 2_2_05896578 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\a.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\a.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\a.exeMemory written: C:\Users\user\Desktop\a.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\a.exeProcess created: C:\Users\user\Desktop\a.exe {path}
              Source: a.exe, 00000002.00000002.1174100421.0000000001240000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: a.exe, 00000002.00000002.1174100421.0000000001240000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: a.exe, 00000002.00000002.1174100421.0000000001240000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: a.exe, 00000002.00000002.1174100421.0000000001240000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\a.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\a.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.1172534337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758636626.0000000003F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1175683313.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: a.exe PID: 5512, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: a.exe PID: 5580, type: MEMORY
              Source: Yara matchFile source: 2.2.a.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\a.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cookies.sqlite
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\a.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\Desktop\a.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: Yara matchFile source: 00000002.00000002.1175683313.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: a.exe PID: 5580, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.1172534337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758636626.0000000003F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1175683313.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: a.exe PID: 5512, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: a.exe PID: 5580, type: MEMORY
              Source: Yara matchFile source: 2.2.a.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential Dumping2Virtualization/Sandbox Evasion13Remote File Copy1Email Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection112Software Packing3Credentials in Registry1Process Discovery2Remote ServicesData from Local System2Exfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery111Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion13Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection112Brute ForceSystem Information Discovery114Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.