Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.PackedNET.375.24708.7902

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.PackedNET.375.24708.7902 (renamed file extension from 7902 to exe)
Analysis ID:255543
MD5:c04c690294b235ee97c62ba378b09a45
SHA1:2882772726f72de9507eeb0cb6e689a21da3875e
SHA256:55827a9e773dfce60d622e28adf9ece39b9116a4efe7e5283485c6dee1069689

Most interesting Screenshot:

Detection

AgentTesla
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "nnRaj6I0NtB8", "URL: ": "https://q2VQDlcQK1rH2nQa.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "yYNHlOe", "From: ": "david01smith@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.314951732.0000000005BA9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.323212768.0000000005BB4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.534454385.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000003.313996550.0000000005B70000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.315056604.0000000005BAC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: InstallUtil.exe.1944.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "nnRaj6I0NtB8", "URL: ": "https://q2VQDlcQK1rH2nQa.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "yYNHlOe", "From: ": "david01smith@yandex.com"}
              Source: global trafficTCP traffic: 192.168.2.6:49739 -> 77.88.21.158:587
              Source: global trafficTCP traffic: 192.168.2.6:49739 -> 77.88.21.158:587
              Source: unknownDNS traffic detected: queries for: smtp.yandex.com
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
              Source: InstallUtil.exe, 00000006.00000002.537767307.0000000002BD8000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
              Source: InstallUtil.exe, 00000006.00000002.537489793.0000000002AB8000.00000004.00000001.sdmpString found in binary or memory: https://q2VQDlcQK1rH2nQa.org
              Source: InstallUtil.exe, 00000006.00000002.542056534.0000000006076000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_005076DC0_2_005076DC
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_006820B06_2_006820B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_0104FB306_2_0104FB30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_0104FB206_2_0104FB20
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E800406_2_04E80040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E881986_2_04E88198
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E82F806_2_04E82F80
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E873C86_2_04E873C8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E83C486_2_04E83C48
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E8FBF06_2_04E8FBF0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E840716_2_04E84071
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E800066_2_04E80006
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E881886_2_04E88188
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E82F706_2_04E82F70
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E8778F6_2_04E8778F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E873B96_2_04E873B9
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E8FC666_2_04E8FC66
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E878036_2_04E87803
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_04E8FBE06_2_04E8FBE0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F587006_2_05F58700
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F589D06_2_05F589D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5D9286_2_05F5D928
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F500406_2_05F50040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5E0386_2_05F5E038
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5B3506_2_05F5B350
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F582706_2_05F58270
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5BD9C6_2_05F5BD9C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5C4F56_2_05F5C4F5
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5BCD96_2_05F5BCD9
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F586F06_2_05F586F0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5A6206_2_05F5A620
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F589C16_2_05F589C1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5C9306_2_05F5C930
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5D9176_2_05F5D917
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5B0586_2_05F5B058
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5B0486_2_05F5B048
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5A0106_2_05F5A010
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F583376_2_05F58337
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5CA9C6_2_05F5CA9C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F582616_2_05F58261
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE65006_2_05FE6500
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE06E86_2_05FE06E8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE81A06_2_05FE81A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE43A06_2_05FE43A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FEBCB06_2_05FEBCB0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE0F986_2_05FE0F98
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE2BF86_2_05FE2BF8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE7B406_2_05FE7B40
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE4B286_2_05FE4B28
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE6A106_2_05FE6A10
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE15736_2_05FE1573
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE64EF6_2_05FE64EF
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE06D86_2_05FE06D8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE81906_2_05FE8190
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE00406_2_05FE0040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FEA3776_2_05FEA377
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE72006_2_05FE7200
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE12006_2_05FE1200
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FEBCA06_2_05FEBCA0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE9C406_2_05FE9C40
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE499C6_2_05FE499C
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exeBinary or memory string: OriginalFilenamevSXyCORfFPbmbaYJ.exe vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe, 00000000.00000003.314951732.0000000005BA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLKQKfVvHCzDrQhJAbeNfYMsvSXyCORfFPbmbaYJ.exe4 vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe, 00000000.00000002.316463589.00000000005A8000.00000002.00020000.sdmpBinary or memory string: OriginalFilename6.exeD vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe, 00000000.00000002.319476992.0000000002B6B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevSXyCORfFPbmbaYJ.exe( vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe, 00000000.00000002.319476992.0000000002B6B000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe, 00000000.00000002.319055441.00000000029A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefdfrf.dll4 vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe, 00000000.00000002.319299055.0000000002AF3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHollow.dll. vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exeBinary or memory string: OriginalFilenamevSXyCORfFPbmbaYJ.exe( vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exeBinary or memory string: OriginalFilename6.exeD vs SecuriteInfo.com.Trojan.PackedNET.375.24708.exe
              Source: classification engineClassification label: mal80.troj.spyw.evad.winEXE@3/2@2/2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe.logJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe:Zone.IdentifierJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.Trojan.PackedNET.375.24708.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000006.00000002.534786173.0000000000682000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_00502CE2 push ecx; ret 0_2_00502CE6
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_010071B7 pushad ; iretd 0_2_010071BB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_010079ED push edi; iretd 0_2_010079F1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_010070ED pushad ; iretd 0_2_010070F1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_01007B68 push esi; iretd 0_2_01007B7D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_01007A12 push edi; iretd 0_2_01007A16
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_01007A4E push edi; iretd 0_2_01007A52
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_01007A7F push edi; iretd 0_2_01007A80
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeCode function: 0_2_01007AE1 push esi; iretd 0_2_01007AE5
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5512F push edi; retn 0000h6_2_05F55131
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5B86E push 69D44589h; ret 6_2_05F5B878
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5B869 push 69D44589h; ret 6_2_05F5B878
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE311B push 8B984589h; retf 6_2_05FE3120
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05FE4903 push cs; iretd 6_2_05FE490F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 395Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe TID: 7032Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe TID: 5340Thread sleep count: 193 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe TID: 7004Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1284Thread sleep count: 395 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1284Thread sleep count: 191 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -58188s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -58000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -54906s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -54688s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -54000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -53812s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -52906s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -52688s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -50812s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -47312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -40500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -40312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -36312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7120Thread sleep time: -31812s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
              Source: InstallUtil.exe, 00000006.00000002.540833177.0000000005B50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: InstallUtil.exe, 00000006.00000002.540833177.0000000005B50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: InstallUtil.exe, 00000006.00000002.540833177.0000000005B50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: InstallUtil.exe, 00000006.00000002.542018577.0000000006050000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: InstallUtil.exe, 00000006.00000002.540833177.0000000005B50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 6_2_05F5D928 LdrInitializeThunk,6_2_05F5D928
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: InstallUtil.exe, 00000006.00000002.537219649.0000000001460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: InstallUtil.exe, 00000006.00000002.537219649.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: InstallUtil.exe, 00000006.00000002.537219649.0000000001460000.00000002.00000001.sdmpBinary or memory string: Program ManagerNd[\
              Source: InstallUtil.exe, 00000006.00000002.537219649.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.375.24708.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000003.314951732.0000000005BA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.323212768.0000000005BB4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.534454385.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.313996550.0000000005B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.315056604.0000000005BAC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.314600816.0000000005C62000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.320135791.0000000003A02000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.319055441.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.315011247.0000000005BAC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.313835410.0000000005B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.320247015.0000000003AB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.314123210.0000000005B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.313640446.0000000005B69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.314654000.0000000005C7B000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.537489793.0000000002AB8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1944, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe PID: 6984, type: MEMORY
              Source: Yara matchFile source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000006.00000002.537489793.0000000002AB8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1944, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000003.314951732.0000000005BA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.323212768.0000000005BB4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.534454385.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.313996550.0000000005B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.315056604.0000000005BAC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.314600816.0000000005C62000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.320135791.0000000003A02000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.319055441.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.315011247.0000000005BAC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.313835410.0000000005B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.320247015.0000000003AB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.314123210.0000000005B70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.313640446.0000000005B69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.314654000.0000000005C7B000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.537489793.0000000002AB8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1944, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.375.24708.exe PID: 6984, type: MEMORY
              Source: Yara matchFile source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping2Security Software Discovery111Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Credentials in Registry1Virtualization/Sandbox Evasion13Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious