Loading ...

Play interactive tourEdit tour

Analysis Report Confirma plata soldului.exe

Overview

General Information

Sample Name:Confirma plata soldului.exe
MD5:d5f3f94918984dae04d2255a3dadd4fa
SHA1:ad2badf96571c7f9924434edee23cdbb1eff993d
SHA256:9e8f33053f7949b1c8b094432870a76496c217a2e9ba1b62a9654c040bb1e35c

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Confirma plata soldului.exe (PID: 728 cmdline: 'C:\Users\user\Desktop\Confirma plata soldului.exe' MD5: D5F3F94918984DAE04D2255A3DADD4FA)
    • InstallUtil.exe (PID: 1316 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "Bvp864r", "URL: ": "http://eJF0ccGuQmc.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:5878", "Password: ": "AIgH7", "From: ": "david01smith@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.491982233.0000000007983000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000003.482027324.000000000795D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000003.482600084.0000000007966000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000003.483769307.0000000007966000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.482786894.0000000007966000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: InstallUtil.exe.1316.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "Bvp864r", "URL: ": "http://eJF0ccGuQmc.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:5878", "Password: ": "AIgH7", "From: ": "david01smith@yandex.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Confirma plata soldului.exeVirustotal: Detection: 30%Perma Link
              Source: 4.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.7:49716 -> 77.88.21.158:587
              Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
              Source: global trafficTCP traffic: 192.168.2.7:49716 -> 77.88.21.158:587
              Source: unknownDNS traffic detected: queries for: smtp.yandex.com
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmp, InstallUtil.exe, 00000004.00000003.610122030.00000000011A4000.00000004.00000001.sdmp, InstallUtil.exe, 00000004.00000002.835536139.0000000003160000.00000004.00000001.sdmpString found in binary or memory: http://eJF0ccGuQmc.org
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
              Source: InstallUtil.exe, 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0

              Source: C:\Users\user\Desktop\Confirma plata soldului.exeCode function: 0_2_0289E0E0
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeCode function: 0_2_02893F10
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_00C320B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_015BFB30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_015BFB20
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06490E90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06496FB0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06493DE7
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06496250
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649F3D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649F1D8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492E57
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492E0D
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649263F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492EEB
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492EA1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492F7F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492F35
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DF98
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06491CFE
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492C8E
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492492
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492D79
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492D2F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492521
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492DC3
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_064925B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649229A
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492AB7
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06490E90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649F3C0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06491B9B
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06490040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492021
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_064920F4
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649F1C8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06492180
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06610040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06613038
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06613C40
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06614CE1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06611878
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06610006
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06612080
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0661CE0C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06613C31
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06610CFD
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06610D00
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06674AF0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06678B50
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06679FC8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06672CF0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_066798D8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_066719E8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_066765D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06679200
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06674AE0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667CEEE
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667D6B7
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667C29A
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06678B40
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06679F5A
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667BF10
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667C7E0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667C7D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06679FBE
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667B87C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0667C05B
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_066791F0
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: String function: 06670FF8 appears 32 times
              Source: Confirma plata soldului.exeBinary or memory string: OriginalFilename vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000002.486647140.00000000029E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefdfrf.dll4 vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000002.487473205.0000000002BB9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAHLyKbhpOhGKJa.exe( vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000002.487473205.0000000002BB9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAHLyK vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000002.485999889.0000000000C21000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000003.481640263.0000000007F0A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAHLyKQpSjZFIcaBZGi vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000002.488883519.0000000004257000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAHLyKQpSjZFIcaBZOxPvcKjhzqQHVbhpOhGKJa.exe4 vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000000.409047814.00000000005F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebb.exe@ vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exe, 00000000.00000002.486679279.0000000002A00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAHLyKQpSjZFIcaBZ< vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exeBinary or memory string: OriginalFilenamefdfrf.dll4 vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exeBinary or memory string: OriginalFilenameAHLyKbhpOhGKJa.exe( vs Confirma plata soldului.exe
              Source: Confirma plata soldului.exeBinary or memory string: OriginalFilenamebb.exe@ vs Confirma plata soldului.exe
              Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/2@2/1
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirma plata soldului.exe.logJump to behavior
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: Confirma plata soldului.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Confirma plata soldului.exeVirustotal: Detection: 30%
              Source: unknownProcess created: C:\Users\user\Desktop\Confirma plata soldului.exe 'C:\Users\user\Desktop\Confirma plata soldului.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Confirma plata soldului.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Confirma plata soldului.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Confirma plata soldului.exe, 00000000.00000002.485999889.0000000000C21000.00000004.00000020.sdmp, InstallUtil.exe, 00000004.00000002.833122788.0000000000C32000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
              Source: Binary string: InstallUtil.pdb source: Confirma plata soldului.exe, 00000000.00000002.485999889.0000000000C21000.00000004.00000020.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

              Source: C:\Users\user\Desktop\Confirma plata soldului.exeCode function: 0_2_00557D5C push edx; iretw
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeCode function: 0_2_0055212E push cs; iretd
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeCode function: 0_2_028929FB push edx; retf
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE41 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A669 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A669 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A669 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE66 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE1B push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A61D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A61D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A61D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE1D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE29 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE2D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE21 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE25 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE39 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE3D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE31 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649DE35 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6CD push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6E9 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6ED push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6E5 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6F9 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6FD push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6F1 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A6F5 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A765 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_0649A701 push es; ret

              Source: C:\Users\user\Desktop\Confirma plata soldului.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeFile opened: C:\Users\user\Desktop\Confirma plata soldului.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Confirma plata soldului.exe, 00000000.00000002.486679279.0000000002A00000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 638
              Source: C:\Users\user\Desktop\Confirma plata soldului.exe TID: 1976Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Confirma plata soldului.exe TID: 4224Thread sleep count: 176 > 30
              Source: C:\Users\user\Desktop\Confirma plata soldului.exe TID: 4468Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4176Thread sleep count: 158 > 30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4176Thread sleep count: 638 > 30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -55000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -54500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -52500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -49500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -41000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 892Thread sleep time: -38500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
              Source: InstallUtil.exe, 00000004.00000002.837674567.0000000005FD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Confirma plata soldului.exe, 00000000.00000002.486679279.0000000002A00000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: InstallUtil.exe, 00000004.00000002.837674567.0000000005FD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: InstallUtil.exe, 00000004.00000002.837674567.0000000005FD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: InstallUtil.exe, 00000004.00000002.838766793.0000000006820000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: InstallUtil.exe, 00000004.00000002.837674567.0000000005FD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess information queried: ProcessInformation

              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06490E90 KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeMemory allocated: page read and write | page guard

              Source: C:\Users\user\Desktop\Confirma plata soldului.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: InstallUtil.exe, 00000004.00000002.834510496.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: InstallUtil.exe, 00000004.00000002.834510496.0000000001980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: InstallUtil.exe, 00000004.00000002.834510496.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: InstallUtil.exe, 00000004.00000002.834510496.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\Confirma plata soldului.exeQueries volume information: C:\Users\user\Desktop\Confirma plata soldului.exe VolumeInformation
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4_2_06490878 GetUserNameW,
              Source: C:\Users\user\Desktop\Confirma plata soldului.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.491982233.0000000007983000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482027324.000000000795D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482600084.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.483769307.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482786894.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.481640263.0000000007F0A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482969766.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.488883519.0000000004257000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.483966669.000000000797C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.481979570.0000000007F10000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.484141918.0000000007F1A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.832990872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482326234.0000000007964000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.489098159.0000000004305000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.486679279.0000000002A00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Confirma plata soldului.exe PID: 728, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1316, type: MEMORY
              Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: Yara matchFile source: 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1316, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.491982233.0000000007983000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482027324.000000000795D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482600084.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.483769307.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482786894.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.481640263.0000000007F0A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482969766.0000000007966000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.488883519.0000000004257000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.483966669.000000000797C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.834936893.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.481979570.0000000007F10000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.484141918.0000000007F1A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.832990872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.482326234.0000000007964000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.489098159.0000000004305000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.486679279.0000000002A00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Confirma plata soldului.exe PID: 728, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1316, type: MEMORY
              Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Hidden Files and Directories1Process Injection12Masquerading1Credential Dumping2Virtualization/Sandbox Evasion13Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Credentials in Registry1Process Discovery2Remote ServicesData from Local System2Exfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion13Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection12Brute ForceSecurity Software Discovery211Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information2Bash HistorySystem Information Discovery114Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.