Loading ...

Play interactive tourEdit tour

Analysis Report CITI BANK Transfer paper.exe

Overview

General Information

Sample Name:CITI BANK Transfer paper.exe
Analysis ID:281396
MD5:ba580e2f99640215aeba379eabb60f1f
SHA1:bbe579783f57959b6b9b6003213fe54ca2842c20
SHA256:3525fd909249f56ffbd4fa1389ea0f6526a21ef4aa202adf6cbc788988742cbc

Most interesting Screenshot:

Detection

Nanocore MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected MailPassView
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CITI BANK Transfer paper.exe (PID: 2944 cmdline: 'C:\Users\user\Desktop\CITI BANK Transfer paper.exe' MD5: BA580E2F99640215AEBA379EABB60F1F)
    • schtasks.exe (PID: 5944 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WBrbWzfl' /XML 'C:\Users\user\AppData\Local\Temp\tmpD90D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CITI BANK Transfer paper.exe (PID: 276 cmdline: C:\Users\user\Desktop\CITI BANK Transfer paper.exe MD5: BA580E2F99640215AEBA379EABB60F1F)
      • vbc.exe (PID: 6780 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ycnyfk3s.mls' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 6696 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\y0bcc4vg.0g4' MD5: B3A917344F5610BEEC562556F11300FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    0000000B.00000002.222791033.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.182617910.00000000032A1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000009.00000002.216957243.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              9.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                9.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  11.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: NanoCoreShow sources
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CITI BANK Transfer paper.exe, ProcessId: 276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                    Sigma detected: Scheduled temp file as task from temp locationShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WBrbWzfl' /XML 'C:\Users\user\AppData\Local\Temp\tmpD90D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WBrbWzfl' /XML 'C:\Users\user\AppData\Local\Temp\tmpD90D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\CITI BANK Transfer paper.exe' , ParentImage: C:\Users\user\Desktop\CITI BANK Transfer paper.exe, ParentProcessId: 2944, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WBrbWzfl' /XML 'C:\Users\user\AppData\Local\Temp\tmpD90D.tmp', ProcessId: 5944
                    Sigma detected: Suspicious Process CreationShow sources
                    Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ycnyfk3s.mls', CommandLine: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ycnyfk3s.mls', CommandLine|base64offset|contains: m, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ParentCommandLine: C:\Users\user\Desktop\CITI BANK Transfer paper.exe, ParentImage: C:\Users\user\Desktop\CITI BANK Transfer paper.exe, ParentProcessId: 276, ProcessCommandLine: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ycnyfk3s.mls', ProcessId: 6780

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WBrbWzfl.exeVirustotal: Detection: 27%Perma Link
                    Source: C:\Users\user\AppData\Roaming\WBrbWzfl.exeReversingLabs: Detection: 20%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: CITI BANK Transfer paper.exeVirustotal: Detection: 27%Perma Link
                    Source: CITI BANK Transfer paper.exeReversingLabs: Detection: 20%
                    Yara detected Nanocore RATShow sources
                    Source: Yara matchFile source: 00000000.00000002.183039364.00000000042CD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CITI BANK Transfer paper.exe PID: 2944, type: MEMORY
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WBrbWzfl.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: CITI BANK Transfer paper.exeJoe Sandbox ML: detected
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00406EC3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,11_2_00408441
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,11_2_00407E0E
                    Source: global trafficTCP traffic: 192.168.2.6:49721 -> 79.134.225.11:1010
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.222791033.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.222791033.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: vbc.exe, 0000000B.00000003.222707913.000000000582C000.00000004.00000001.sdmpString found in binary or memory: auth20_logout.srffile://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: vbc.exe, 0000000B.00000003.222707913.000000000582C000.00000004.00000001.sdmpString found in binary or memory: auth20_logout.srffile://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: vbc.exe, 0000000B.00000003.222691431.000000000582B000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: vbc.exe, 0000000B.00000003.222691431.000000000582B000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: unknownDNS traffic detected: queries for: evapimp.myq-see.com
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182617910.00000000032A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: vbc.exe, vbc.exe, 0000000B.00000002.222791033.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000B.00000002.223323087.00000000050F4000.00000004.00000010.sdmp, ycnyfk3s.mls.9.dr, y0bcc4vg.0g4.11.drString found in binary or memory: http://www.nirsoft.net/
                    Source: vbc.exe, 0000000B.00000003.222691431.000000000582B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=000
                    Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,9_2_0040AC8A
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182031043.00000000014CB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    E-Banking Fraud:

                    barindex
                    Yara detected Nanocore RATShow sources
                    Source: Yara matchFile source: 00000000.00000002.183039364.00000000042CD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CITI BANK Transfer paper.exe PID: 2944, type: MEMORY

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000000.00000002.183039364.00000000042CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000000.00000002.183039364.00000000042CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: Process Memory Space: CITI BANK Transfer paper.exe PID: 2944, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: Process Memory Space: CITI BANK Transfer paper.exe PID: 2944, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,11_2_00408836
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeCode function: 0_2_064BBC000_2_064BBC00
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeCode function: 0_2_064B00400_2_064B0040
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeCode function: 0_2_064B001E0_2_064B001E
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeCode function: 0_2_064BB1F00_2_064BB1F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00404DDB9_2_00404DDB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0040BD8A9_2_0040BD8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00404E4C9_2_00404E4C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00404EBD9_2_00404EBD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00404F4E9_2_00404F4E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_0040441911_2_00404419
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_0040451611_2_00404516
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_0041353811_2_00413538
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_004145A111_2_004145A1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_0040E63911_2_0040E639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_004337AF11_2_004337AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_004399B111_2_004399B1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_0043DAE711_2_0043DAE7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00405CF611_2_00405CF6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00403F8511_2_00403F85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00411F9911_2_00411F99
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00413F8E appears 66 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00413E2D appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00442A90 appears 36 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 004141D6 appears 88 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00411538 appears 35 times
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182803636.00000000033EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBillie.dll< vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.186107204.0000000006BC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.185727556.00000000063E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.185843513.0000000006490000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.185843513.0000000006490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.181607330.0000000000EDC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameek2B.exe8 vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182031043.00000000014CB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000004.00000000.178734483.00000000000BC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameek2B.exe8 vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000005.00000000.179661585.000000000033C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameek2B.exe8 vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exe, 00000006.00000000.180572434.0000000000E9C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameek2B.exe8 vs CITI BANK Transfer paper.exe
                    Source: CITI BANK Transfer paper.exeBinary or memory string: OriginalFilenameek2B.exe8 vs CITI BANK Transfer paper.exe
                    Source: 00000000.00000002.183039364.00000000042CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000000.00000002.183039364.00000000042CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: Process Memory Space: CITI BANK Transfer paper.exe PID: 2944, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: Process Memory Space: CITI BANK Transfer paper.exe PID: 2944, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: CITI BANK Transfer paper.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: WBrbWzfl.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@14/10@1/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,11_2_00415AFD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,11_2_00415F87
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,11_2_00411196
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,9_2_0040ED0B
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile created: C:\Users\user\AppData\Roaming\WBrbWzfl.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_01
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7e9d8301-bfb3-41d8-8ccb-7adef88d322a}
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD90D.tmpJump to behavior
                    Source: CITI BANK Transfer paper.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.222791033.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: CITI BANK Transfer paper.exeVirustotal: Detection: 27%
                    Source: CITI BANK Transfer paper.exeReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile read: C:\Users\user\Desktop\CITI BANK Transfer paper.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\CITI BANK Transfer paper.exe 'C:\Users\user\Desktop\CITI BANK Transfer paper.exe'
                    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WBrbWzfl' /XML 'C:\Users\user\AppData\Local\Temp\tmpD90D.tmp'
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\Desktop\CITI BANK Transfer paper.exe C:\Users\user\Desktop\CITI BANK Transfer paper.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\CITI BANK Transfer paper.exe C:\Users\user\Desktop\CITI BANK Transfer paper.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\CITI BANK Transfer paper.exe C:\Users\user\Desktop\CITI BANK Transfer paper.exe
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ycnyfk3s.mls'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\y0bcc4vg.0g4'
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WBrbWzfl' /XML 'C:\Users\user\AppData\Local\Temp\tmpD90D.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess created: C:\Users\user\Desktop\CITI BANK Transfer paper.exe C:\Users\user\Desktop\CITI BANK Transfer paper.exeJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess created: C:\Users\user\Desktop\CITI BANK Transfer paper.exe C:\Users\user\Desktop\CITI BANK Transfer paper.exeJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess created: C:\Users\user\Desktop\CITI BANK Transfer paper.exe C:\Users\user\Desktop\CITI BANK Transfer paper.exeJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ycnyfk3s.mls'Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\y0bcc4vg.0g4'Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: CITI BANK Transfer paper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: CITI BANK Transfer paper.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: vbc.exe
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: CITI BANK Transfer paper.exe, 00000006.00000003.319853175.00000000079F2000.00000004.00000001.sdmp, vbc.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,9_2_00403C3D
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeCode function: 0_2_064B46E6 push ebx; retf 0_2_064B46E7
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeCode function: 0_2_064B50D9 push es; iretd 0_2_064B50E8
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeCode function: 0_2_064B50B5 push es; ret 0_2_064B50B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00411879 push ecx; ret 9_2_00411889
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004118A0 push eax; ret 9_2_004118B4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_004118A0 push eax; ret 9_2_004118DC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00442871 push ecx; ret 11_2_00442881
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00442A90 push eax; ret 11_2_00442AA4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00442A90 push eax; ret 11_2_00442ACC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00446E54 push eax; ret 11_2_00446E61
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.63531589599
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.63531589599
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile created: C:\Users\user\AppData\Roaming\WBrbWzfl.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WBrbWzfl' /XML 'C:\Users\user\AppData\Local\Temp\tmpD90D.tmp'

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile opened: C:\Users\user\Desktop\CITI BANK Transfer paper.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_0040F64B
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM_3Show sources
                    Source: Yara matchFile source: 00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.182617910.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CITI BANK Transfer paper.exe PID: 2944, type: MEMORY
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,11_2_00408836
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeWindow / User API: threadDelayed 1138Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeWindow / User API: threadDelayed 8294Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeWindow / User API: foregroundWindowGot 685Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeWindow / User API: foregroundWindowGot 744Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exe TID: 1812Thread sleep time: -51240s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exe TID: 4540Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exe TID: 1420Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00406EC3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,11_2_00408441
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,11_2_00407E0E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_004161B0 memset,GetSystemInfo,11_2_004161B0
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: CITI BANK Transfer paper.exe, 00000000.00000002.182821703.0000000003402000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 11_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,11_2_00408836
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,9_2_00403C3D
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Users\user\Desktop\CITI BANK Transfer paper.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 412000Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 416000Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 418000Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 50D6008Jump to behavior
                    Source: C:\Users\user\Desktop\CITI BANK Transfer paper.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000