Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.6362

Overview

General Information

Sample Name:SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.6362 (renamed file extension from 6362 to exe)
Analysis ID:255546
MD5:f108e175cc7040b532b626a53fab0467
SHA1:514fea1fd4c8225ba1bdcc6773a3b3a22fb4c6d1
SHA256:6cae4157fa881aeff07106782955aa3f021032121f66b3c1af060265cd20d126

Most interesting Screenshot:

Detection

AgentTesla
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe' MD5: F108E175CC7040B532B626A53FAB0467)
    • schtasks.exe (PID: 7088 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x2eb82:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\IigZpZ.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x2eb82:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.256683614.0000000000582000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x2e982:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000003.00000002.516760836.0000000002CE0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.264693998.0000000004ADA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.512404522.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.257343938.0000000000AE2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x2e982:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.0.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.ae0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x2eb82:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          3.0.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.580000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x2eb82:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          3.2.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.580000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x2eb82:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          0.2.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.ae0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x2eb82:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, ParentProcessId: 7024, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp', ProcessId: 7088

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\IigZpZ.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeJoe Sandbox ML: detected
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://Goriot.codeplex.com/
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://remnantmods.com/forums
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://remnantmods.com/forums/https://Goriot.codeplex.com/workitem/list/basic
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: https://Goriot.codeplex.com/discussions
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: https://Goriot.codeplex.com/workitem/list/basic

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary:

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D021B80_2_02D021B8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D017B10_2_02D017B1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D094480_2_02D09448
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D004700_2_02D00470
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D0A4680_2_02D0A468
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D079E00_2_02D079E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D00FC80_2_02D00FC8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D06DE00_2_02D06DE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D072F00_2_02D072F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D053510_2_02D05351
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D053600_2_02D05360
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D040900_2_02D04090
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D060880_2_02D06088
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D040A00_2_02D040A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D060660_2_02D06066
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D057400_2_02D05740
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D057300_2_02D05730
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D055880_2_02D05588
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D055780_2_02D05578
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D05A880_2_02D05A88
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D079D00_2_02D079D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D07FE80_2_02D07FE8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D04F900_2_02D04F90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D04F810_2_02D04F81
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D00F850_2_02D00F85
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D01C800_2_02D01C80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_02D06D970_2_02D06D97
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_00C9F4303_2_00C9F430
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_00C9F7103_2_00C9F710
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_00C9F4203_2_00C9F420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_00C9F7003_2_00C9F700
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_0127C1303_2_0127C130
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_012728003_2_01272800
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_01276C483_2_01276C48
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_012716143_2_01271614
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_01277A903_2_01277A90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_01271D203_2_01271D20
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_0127C1203_2_0127C120
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_01276C3D3_2_01276C3D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_01276FFE3_2_01276FFE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_012770723_2_01277072
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_01277A833_2_01277A83
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC9DB83_2_05BC9DB8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCEC103_2_05BCEC10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCDEA13_2_05BCDEA1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCE6203_2_05BCE620
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAA5E3_2_05BCAA5E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC55983_2_05BC5598
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCADCB3_2_05BCADCB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAD403_2_05BCAD40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCACB83_2_05BCACB8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCACFC3_2_05BCACFC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC4CC83_2_05BC4CC8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAC2D3_2_05BCAC2D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC87383_2_05BC8738
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAE0F3_2_05BCAE0F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC9DB83_2_05BC9DB8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC49803_2_05BC4980
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCA9013_2_05BCA901
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAB8C3_2_05BCAB8C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAB043_2_05BCAB04
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAB483_2_05BCAB48
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAAC03_2_05BCAAC0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCAA7C3_2_05BCAA7C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8D4703_2_05E8D470
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8C4203_2_05E8C420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E877B03_2_05E877B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8DC533_2_05E8DC53
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8C4113_2_05E8C411
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8B9C13_2_05E8B9C1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8C8493_2_05E8C849
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8C8583_2_05E8C858
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8B8203_2_05E8B820
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E893E83_2_05E893E8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8C3E93_2_05E8C3E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E893D83_2_05E893D8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8EB903_2_05E8EB90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8EA383_2_05E8EA38
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: IigZpZ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAndroidStudio.dll< vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLazarus.exe4 vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.258754310.0000000002F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefabgIGvRaAQvhWCRYMhfDCRaAE.exe4 vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.265937984.0000000007E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.266400988.0000000008B50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.266400988.0000000008B50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000000.00000002.257343938.0000000000AE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYBeGE.exe> vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000000.256683614.0000000000582000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYBeGE.exe> vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.513251933.0000000000AF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.520217681.0000000006080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.512404522.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefabgIGvRaAQvhWCRYMhfDCRaAE.exe4 vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.518646441.0000000005100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.514799572.0000000000E6A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeBinary or memory string: OriginalFilenameYBeGE.exe> vs SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000003.00000000.256683614.0000000000582000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000002.257343938.0000000000AE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000003.00000002.512659457.0000000000582000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000000.247421476.0000000000AE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe PID: 7024, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe PID: 7136, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: C:\Users\user\AppData\Roaming\IigZpZ.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.0.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 3.0.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 3.2.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.580000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.2.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: IigZpZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@6/4@0/0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile created: C:\Users\user\AppData\Roaming\IigZpZ.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD4A3.tmpJump to behavior
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe {path}
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeStatic file information: File size 1120768 > 1048576
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_00AE76EA push FFFFFF80h; retn 0001h0_2_00AE76EE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_00AE7BA5 push ebp; ret 0_2_00AE7BA6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 0_2_00AE2B23 push 2DE09754h; iretd 0_2_00AE2B49
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_005876EA push FFFFFF80h; retn 0001h3_2_005876EE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_00582B23 push 2DE09754h; iretd 3_2_00582B49
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_00587BA5 push ebp; ret 3_2_00587BA6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCE4D8 push eax; retn 05B6h3_2_05BCE619
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCCDF0 push es; ret 3_2_05BCCE9D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC68B0 push dword ptr [esp+edx-75h]; iretd 3_2_05BC6875
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BCA322 push 8BFFFFFEh; retf 3_2_05BCA32D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8B6EB push 39C84569h; retf 3_2_05E8B6F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8860E push AA1CC669h; retf 3_2_05E88613
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E84057 push edi; retn 0000h3_2_05E84059
          Source: initial sampleStatic PE information: section name: .text entropy: 7.62164716642
          Source: initial sampleStatic PE information: section name: .text entropy: 7.62164716642
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile created: C:\Users\user\AppData\Roaming\IigZpZ.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeWindow / User API: threadDelayed 865Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 7028Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 7028Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 7044Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6640Thread sleep count: 865 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6640Thread sleep count: 127 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -49718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -59312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -58906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -58718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -58406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -58000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -57812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -57594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -57312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -56906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -56500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -56218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -56000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -55594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -55406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -55218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -54906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -54718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -54500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -54312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -54094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -53594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -53406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -53218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -52718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -52500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -52312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -52094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -51406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -51218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -51000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -50312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -50094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -49906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -49218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -49000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -48812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -48594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -47906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -46406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -46218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -45906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -45718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -45500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -45312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -45094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -44812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -44594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -44406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -44218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -44000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -43718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -43500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -43312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -43094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -42906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -42406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -42218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -42000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -41094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -40906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -40718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -40218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -39812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -39594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -39312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -39094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -38906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -38218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -36906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -36718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -35812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -32906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -32718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -32218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe TID: 6744Thread sleep time: -32000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05E8C420 LdrInitializeThunk,3_2_05E8C420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IigZpZ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe {path}Jump to behavior
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.516157403.0000000001650000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.516157403.0000000001650000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.516157403.0000000001650000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe, 00000003.00000002.516157403.0000000001650000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeCode function: 3_2_05BC37CC GetUserNameW,3_2_05BC37CC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.516760836.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264693998.0000000004ADA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.512404522.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.262849767.00000000048B8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe PID: 7024, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe PID: 7136, type: MEMORY
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.400000.0.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.516760836.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264693998.0000000004ADA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.512404522.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.262849767.00000000048B8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe PID: 7024, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe PID: 7136, type: MEMORY
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.BackDoor.SpyBotNET.25.8385.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Masquerading1OS Credential Dumping1Security Software Discovery12Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion14Input Capture11Virtualization/Sandbox Evasion14Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.