Loading ...

Play interactive tourEdit tour

Analysis Report starx.exe

Overview

General Information

Sample Name:starx.exe
Analysis ID:286317
MD5:2689e0bd727c85849f786822b360cd28
SHA1:ae242d8709f588cc91f9ab814a5efeb6c1a160bc
SHA256:37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

  • System is w10x64
  • starx.exe (PID: 4704 cmdline: 'C:\Users\user\Desktop\starx.exe' MD5: 2689E0BD727C85849F786822B360CD28)
    • starx.exe (PID: 4716 cmdline: 'C:\Users\user\Desktop\starx.exe' MD5: 2689E0BD727C85849F786822B360CD28)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.186468255.00000000042FB000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.186288931.00000000042B2000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: starx.exe PID: 4704JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.starx.exe.4280000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.2.starx.exe.42b0000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: starx.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: starx.exeVirustotal: Detection: 59%Perma Link
            Source: starx.exeMetadefender: Detection: 34%Perma Link
            Source: starx.exeReversingLabs: Detection: 77%
            Machine Learning detection for sampleShow sources
            Source: starx.exeJoe Sandbox ML: detected
            Source: 0.2.starx.exe.4280000.3.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00408454 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408454
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00405098 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405098
            Source: global trafficTCP traffic: 192.168.2.6:49743 -> 77.88.21.158:587
            Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
            Source: global trafficTCP traffic: 192.168.2.6:49743 -> 77.88.21.158:587
            Source: unknownDNS traffic detected: queries for: smtp.yandex.com
            Source: starx.exe, 00000001.00000003.380905836.00000000050D1000.00000004.00000001.sdmpString found in binary or memory: http://pLvikDz8so2JTAqoPHFt.org
            Source: starx.exe, 00000000.00000002.186468255.00000000042FB000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
            Source: starx.exe, 00000000.00000002.186468255.00000000042FB000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00420CC0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00420CC0
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0043DD3C GetKeyboardState,0_2_0043DD3C
            Source: starx.exe, 00000000.00000002.183191701.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00440CB8 NtdllDefWindowProc_A,GetCapture,0_2_00440CB8
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0045BA98 NtdllDefWindowProc_A,0_2_0045BA98
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0045C240 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045C240
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0045C2F0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045C2F0
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0042A524 NtdllDefWindowProc_A,0_2_0042A524
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00450C40 GetSubMenu,SaveDC,RestoreDC,7397B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00450C40
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00450C400_2_00450C40
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00455F900_2_00455F90
            Source: C:\Users\user\Desktop\starx.exeCode function: String function: 00403FC0 appears 68 times
            Source: C:\Users\user\Desktop\starx.exeCode function: String function: 004060D4 appears 62 times
            Source: starx.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: starx.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: starx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: starx.exe, 00000000.00000002.186468255.00000000042FB000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameNDEDCeTcqHyGOpNvotAEY.exe4 vs starx.exe
            Source: starx.exe, 00000000.00000002.183151787.00000000006C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs starx.exe
            Source: starx.exe, 00000000.00000002.183165370.00000000006E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs starx.exe
            Source: starx.exeBinary or memory string: OriginalFilename vs starx.exe
            Source: starx.exe, 00000001.00000001.182739284.0000000000467000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameNDEDCeTcqHyGOpNvotAEY.exe4 vs starx.exe
            Source: C:\Users\user\Desktop\starx.exeSection loaded: mscorwks.dllJump to behavior
            Source: C:\Users\user\Desktop\starx.exeSection loaded: mscorsec.dllJump to behavior
            Source: C:\Users\user\Desktop\starx.exeSection loaded: mscorjit.dllJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@2/1
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0041DDA8 GetLastError,FormatMessageA,0_2_0041DDA8
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00408606 GetDiskFreeSpaceA,0_2_00408606
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004137F4 FindResourceA,0_2_004137F4
            Source: C:\Users\user\Desktop\starx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\starx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\starx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\starx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\starx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\starx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\starx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\starx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\starx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: starx.exeVirustotal: Detection: 59%
            Source: starx.exeMetadefender: Detection: 34%
            Source: starx.exeReversingLabs: Detection: 77%
            Source: unknownProcess created: C:\Users\user\Desktop\starx.exe 'C:\Users\user\Desktop\starx.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\starx.exe 'C:\Users\user\Desktop\starx.exe'
            Source: C:\Users\user\Desktop\starx.exeProcess created: C:\Users\user\Desktop\starx.exe 'C:\Users\user\Desktop\starx.exe' Jump to behavior
            Source: C:\Users\user\Desktop\starx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\starx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\starx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004265C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004265C8
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004482AC push 00448339h; ret 0_2_00448331
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00416038 push ecx; mov dword ptr [esp], edx0_2_0041603A
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0045E088 push 0045E0B4h; ret 0_2_0045E0AC
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00448244 push 004482AAh; ret 0_2_004482A2
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00426224 push 00426250h; ret 0_2_00426248
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004263D0 push 004263FCh; ret 0_2_004263F4
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00436418 push 00436444h; ret 0_2_0043643C
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00424540 push 0042456Ch; ret 0_2_00424564
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0042E57C push 0042E5A8h; ret 0_2_0042E5A0
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0042E5CC push 0042E60Fh; ret 0_2_0042E607
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00436580 push 004365ACh; ret 0_2_004365A4
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00428608 push 00428661h; ret 0_2_00428659
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0042E634 push 0042E677h; ret 0_2_0042E66F
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004306C8 push 0043070Ah; ret 0_2_00430702
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004246D8 push 00424704h; ret 0_2_004246FC
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0042E6F0 push 0042E73Bh; ret 0_2_0042E733
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0042E698 push 0042E6E4h; ret 0_2_0042E6DC
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0042E748 push 0042E774h; ret 0_2_0042E76C
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00410736 push 004107AEh; ret 0_2_004107A6
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00410738 push 004107AEh; ret 0_2_004107A6
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004107B0 push 00410858h; ret 0_2_00410850
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0041085A push 00410970h; ret 0_2_00410968
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0041A8AE push 0041A95Bh; ret 0_2_0041A953
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0041A8B0 push 0041A95Bh; ret 0_2_0041A953
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00410944 push 00410970h; ret 0_2_00410968
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0041A960 push 0041A9F0h; ret 0_2_0041A9E8
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004069D4 push ecx; mov dword ptr [esp], eax0_2_004069D5
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0041A9F2 push 0041AD10h; ret 0_2_0041AD08
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00462A60 push 00462A8Ch; ret 0_2_00462A84
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00460AE4 push 00460B24h; ret 0_2_00460B1C
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00412ABC push ecx; mov dword ptr [esp], edx0_2_00412AC1
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0045BB20 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0045BB20
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0045C240 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045C240
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0045C2F0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045C2F0
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004423DC IsIconic,GetCapture,0_2_004423DC
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00424910 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00424910
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00458B48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00458B48
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00442C90 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_00442C90
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004435B4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_004435B4
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004265C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004265C8
            Source: C:\Users\user\Desktop\starx.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect sleep reduction / modificationsShow sources
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004371040_2_00437104
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\starx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\starx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\starx.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_0045B090
            Source: C:\Users\user\Desktop\starx.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\starx.exeWindow / User API: threadDelayed 836Jump to behavior
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004371040_2_00437104
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1752Thread sleep count: 836 > 30Jump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1752Thread sleep count: 61 > 30Jump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -59500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -113000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -56094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -52500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -77250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -51000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -50594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -74250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -49094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -72000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -47094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -69750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -46000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -44500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -64500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -42500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -42094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -40094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -39500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -38594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -37500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -36594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -35500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -35094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -51000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -33094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -48750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -45750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -43500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -40500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -37500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -59406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -88359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -58718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -58500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -58312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -57812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -86436s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -57406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -57218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -57000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -85077s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -56312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -55906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -55624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -55406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -55218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -54812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -54312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -53906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -53500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -53218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -52812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -52406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -51906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -51312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -50812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -50406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -50218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -49312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -48406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -48218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -47812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -47624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -47312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -46718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -46218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -45812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -45406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -44624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -44406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -44124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -43906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -43718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -42624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -42312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -41124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -40624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -40406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -39906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -39718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -39312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -39124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -38406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -57327s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -37718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -37312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -37124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -36406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -36218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -35812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -35624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -35312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -34906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -34718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -34218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -33812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -33624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -33406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -32906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -32312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -32124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -31812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -46827s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -31000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -30312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -30124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -48718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -45218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exe TID: 1556Thread sleep time: -41718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\starx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\starx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\starx.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00465E48 GetSystemTime followed by cmp: cmp word ptr [ebp-18h], 07dfh and CTI: jnc 00465E6Fh0_2_00465E48
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00408454 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408454
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00405098 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405098
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0041E338 GetSystemInfo,0_2_0041E338
            Source: C:\Users\user\Desktop\starx.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess queried: DebugFlagsJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00465CEC VirtualProtect ?,0000F9B9,00000104,?,00000000,0000F9B9,00003000,000000040_2_00465CEC
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004265C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004265C8
            Source: C:\Users\user\Desktop\starx.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_00465ED0 KiUserExceptionDispatcher,7397B410,GetSystemMetrics,GetSystemMetrics,ExitProcess,RtlAddVectoredExceptionHandler,0_2_00465ED0
            Source: C:\Users\user\Desktop\starx.exeMemory protected: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\starx.exeSection loaded: unknown target: C:\Users\user\Desktop\starx.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\starx.exeProcess created: C:\Users\user\Desktop\starx.exe 'C:\Users\user\Desktop\starx.exe' Jump to behavior
            Source: C:\Users\user\Desktop\starx.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405250
            Source: C:\Users\user\Desktop\starx.exeCode function: GetLocaleInfoA,GetACP,0_2_0040C4C0
            Source: C:\Users\user\Desktop\starx.exeCode function: GetLocaleInfoA,0_2_0040AE68
            Source: C:\Users\user\Desktop\starx.exeCode function: GetLocaleInfoA,0_2_0040AE1C
            Source: C:\Users\user\Desktop\starx.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_0040535C
            Source: C:\Users\user\Desktop\starx.exeCode function: GetLocaleInfoA,0_2_00405B7A
            Source: C:\Users\user\Desktop\starx.exeCode function: GetLocaleInfoA,0_2_00405B7C
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Users\user\Desktop\starx.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_0040991C GetLocalTime,0_2_0040991C
            Source: C:\Users\user\Desktop\starx.exeCode function: 0_2_004482AC GetVersion,0_2_004482AC
            Source: C:\Users\user\Desktop\starx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000002.186468255.00000000042FB000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.186288931.00000000042B2000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: starx.exe PID: 4704, type: MEMORY
            Source: Yara matchFile source: 0.2.starx.exe.4280000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.starx.exe.42b0000.4.unpack, type: UNPACKEDPE
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\starx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\starx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Users\user\Desktop\starx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Users\user\Desktop\starx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\user\Desktop\starx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\starx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\starx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\Desktop\starx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000002.186468255.00000000042FB000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.186288931.00000000042B2000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: starx.exe PID: 4704, type: MEMORY
            Source: Yara matchFile source: 0.2.starx.exe.4280000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.starx.exe.42b0000.4.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential Dumping2System Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Input Capture21File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Process Injection111Obfuscated Files or Information2Credentials in Registry1System Information Discovery128SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSQuery Registry1Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery24SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsVirtualization/Sandbox Evasion14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET