Loading ...

Play interactive tourEdit tour

Analysis Report PO-2009-0476.exe

Overview

General Information

Sample Name:PO-2009-0476.exe
Analysis ID:286348
MD5:21edbb413e832218122f28b28f2eebca
SHA1:fb874de8edea9984ae96251f36a593384fc1b3ff
SHA256:eb643f1d38642a44524ca39400adafdfcaaa39a718cb151c56dd243a0fe37ae7
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PO-2009-0476.exe (PID: 6928 cmdline: 'C:\Users\user\Desktop\PO-2009-0476.exe' MD5: 21EDBB413E832218122F28B28F2EEBCA)
    • PO-2009-0476.exe (PID: 4176 cmdline: C:\Users\user\Desktop\PO-2009-0476.exe MD5: 21EDBB413E832218122F28B28F2EEBCA)
    • PO-2009-0476.exe (PID: 4900 cmdline: C:\Users\user\Desktop\PO-2009-0476.exe MD5: 21EDBB413E832218122F28B28F2EEBCA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "tAbBu3M8Oq3fL", "URL: ": "https://e2E6iMmXGJaX41hLag95.net", "To: ": "", "ByHost: ": "smtp.fitchreatings.com:587", "Password: ": "N0dHb2Ho", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.647376168.0000000002AB5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.647376168.0000000002AB5000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.645439188.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.PO-2009-0476.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: PO-2009-0476.exeAvira: detected
              Found malware configurationShow sources
              Source: PO-2009-0476.exe.4900.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "tAbBu3M8Oq3fL", "URL: ": "https://e2E6iMmXGJaX41hLag95.net", "To: ": "", "ByHost: ": "smtp.fitchreatings.com:587", "Password: ": "N0dHb2Ho", "From: ": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO-2009-0476.exeVirustotal: Detection: 31%Perma Link
              Source: PO-2009-0476.exeReversingLabs: Detection: 56%
              Machine Learning detection for sampleShow sources
              Source: PO-2009-0476.exeJoe Sandbox ML: detected
              Source: 3.2.PO-2009-0476.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h1_2_01961780
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h1_2_01961678

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49741 -> 208.91.199.225:587
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: global trafficTCP traffic: 192.168.2.3:49741 -> 208.91.199.225:587
              Source: Joe Sandbox ViewIP Address: 54.235.83.248 54.235.83.248
              Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficTCP traffic: 192.168.2.3:49741 -> 208.91.199.225:587
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: PO-2009-0476.exe, 00000003.00000002.647313337.0000000002A9B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://dPstTU.com
              Source: PO-2009-0476.exe, 00000003.00000002.647313337.0000000002A9B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: PO-2009-0476.exe, 00000001.00000002.400279302.0000000003780000.00000004.00000001.sdmp, PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PO-2009-0476.exe, 00000003.00000002.647376168.0000000002AB5000.00000004.00000001.sdmpString found in binary or memory: http://smtp.fitchreatings.com
              Source: PO-2009-0476.exe, 00000003.00000002.647376168.0000000002AB5000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: PO-2009-0476.exe, 00000001.00000002.400883662.00000000042C8000.00000004.00000001.sdmp, PO-2009-0476.exe, 00000003.00000002.645439188.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: PO-2009-0476.exe, 00000003.00000002.647376168.0000000002AB5000.00000004.00000001.sdmp, PO-2009-0476.exe, 00000003.00000002.648945299.0000000002CF6000.00000004.00000001.sdmpString found in binary or memory: https://e2E6iMmXGJaX41hLag95.net
              Source: PO-2009-0476.exe, 00000003.00000002.647313337.0000000002A9B000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: PO-2009-0476.exe, 00000001.00000002.400883662.00000000042C8000.00000004.00000001.sdmp, PO-2009-0476.exe, 00000003.00000002.645439188.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: PO-2009-0476.exe, 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443

              System Summary:

              barindex
              PE file contains section with special charsShow sources
              Source: PO-2009-0476.exeStatic PE information: section name: q%KPt8wh
              PE file has nameless sectionsShow sources
              Source: PO-2009-0476.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019625D81_2_019625D8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_01962DE81_2_01962DE8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019605121_2_01960512
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0196C8401_2_0196C840
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019637B21_2_019637B2
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019669911_2_01966991
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_01966DB01_2_01966DB0
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019669A01_2_019669A0
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019619A01_2_019619A0
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0196B5381_2_0196B538
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0196252C1_2_0196252C
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0196795C1_2_0196795C
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019679441_2_01967944
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019660981_2_01966098
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019660881_2_01966088
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019654F81_2_019654F8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019654E91_2_019654E9
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0196A8501_2_0196A850
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019663901_2_01966390
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_01966BF81_2_01966BF8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_01966BE81_2_01966BE8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019667381_2_01966738
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019667481_2_01966748
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_01964AA11_2_01964AA1
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_01961A5E1_2_01961A5E
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0196AE401_2_0196AE40
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_019632601_2_01963260
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0BEE59981_2_0BEE5998
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0BEEB8A11_2_0BEEB8A1
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0BEE63001_2_0BEE6300
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0BEE62F11_2_0BEE62F1
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0BEE59891_2_0BEE5989
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0BEE4ED71_2_0BEE4ED7
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_010646A03_2_010646A0
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_010635C43_2_010635C4
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_010645B03_2_010645B0
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_010646903_2_01064690
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_010653923_2_01065392
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_0106D9F53_2_0106D9F5
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_054075403_2_05407540
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_05406C703_2_05406C70
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_054094F83_2_054094F8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_054069283_2_05406928
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060A1E003_2_060A1E00
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060AD3943_2_060AD394
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060A00403_2_060A0040
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060A8CC83_2_060A8CC8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060A3D583_2_060A3D58
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060AAD703_2_060AAD70
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_054026793_2_05402679
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_054026803_2_05402680
              Source: PO-2009-0476.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO-2009-0476.exeBinary or memory string: OriginalFilename vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000001.00000002.397908017.0000000000FB4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTFDp.exeF vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000001.00000002.404482060.000000000BD90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000001.00000003.392515177.0000000001737000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000001.00000002.400883662.00000000042C8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYzAUcjUWcLpUEzOVDwWzxSRxAkVREgVQNAn.exe4 vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000002.00000002.396350920.00000000001F4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTFDp.exeF vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000003.00000002.653161536.0000000006610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000003.00000002.645762586.0000000000AF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000003.00000000.397034685.00000000006B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTFDp.exeF vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000003.00000002.652735269.00000000060D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000003.00000002.645439188.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYzAUcjUWcLpUEzOVDwWzxSRxAkVREgVQNAn.exe4 vs PO-2009-0476.exe
              Source: PO-2009-0476.exe, 00000003.00000002.646584331.0000000000E2A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-2009-0476.exe
              Source: PO-2009-0476.exeBinary or memory string: OriginalFilenameTFDp.exeF vs PO-2009-0476.exe
              Source: PO-2009-0476.exeStatic PE information: Section: q%KPt8wh ZLIB complexity 1.00031762942
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@4/2
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-2009-0476.exe.logJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\PO-2009-0476.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\PO-2009-0476.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: PO-2009-0476.exeVirustotal: Detection: 31%
              Source: PO-2009-0476.exeReversingLabs: Detection: 56%
              Source: unknownProcess created: C:\Users\user\Desktop\PO-2009-0476.exe 'C:\Users\user\Desktop\PO-2009-0476.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\PO-2009-0476.exe C:\Users\user\Desktop\PO-2009-0476.exe
              Source: unknownProcess created: C:\Users\user\Desktop\PO-2009-0476.exe C:\Users\user\Desktop\PO-2009-0476.exe
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess created: C:\Users\user\Desktop\PO-2009-0476.exe C:\Users\user\Desktop\PO-2009-0476.exeJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess created: C:\Users\user\Desktop\PO-2009-0476.exe C:\Users\user\Desktop\PO-2009-0476.exeJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: PO-2009-0476.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PO-2009-0476.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeUnpacked PE file: 1.2.PO-2009-0476.exe.f20000.0.unpack q%KPt8wh:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
              Binary contains a suspicious time stampShow sources
              Source: initial sampleStatic PE information: 0x87DE5063 [Thu Mar 27 00:42:11 2042 UTC]
              Source: PO-2009-0476.exeStatic PE information: section name: q%KPt8wh
              Source: PO-2009-0476.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_00F92602 push esp; ret 1_2_00F92617
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_05891425 push F8D2B4AFh; retf 1_2_05891466
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_05891F7A push edx; ret 1_2_05891F83
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0196433E push ss; retf 1_2_0196433F
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_0BEE7B78 push esp; ret 1_2_0BEE7B79
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E1C08 push ds; retf 2_2_001E1C0C
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E1A4C push cs; retf 2_2_001E1A98
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E186C push cs; retf 2_2_001E1A4A
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E186C push cs; retf 2_2_001E1A98
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E1A9A push cs; retf 2_2_001E1ACE
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E1BDE push ds; retf 2_2_001E1BE2
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E1AD0 push ds; retf 2_2_001E1BFA
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E09D0 pushfd ; retn 0007h2_2_001E09D1
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E1BF6 push ds; retf 2_2_001E1C06
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 2_2_001E1BE4 push ds; retf 2_2_001E1BE8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A186C push cs; retf 3_2_006A1A4A
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A186C push cs; retf 3_2_006A1A98
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A1A4C push cs; retf 3_2_006A1A98
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A1C08 push ds; retf 3_2_006A1C0C
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A1BE4 push ds; retf 3_2_006A1BE8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A1BF6 push ds; retf 3_2_006A1C06
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A1BDE push ds; retf 3_2_006A1BE2
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A1AD0 push ds; retf 3_2_006A1BFA
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A09D0 pushfd ; retn 0007h3_2_006A09D1
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_006A1A9A push cs; retf 3_2_006A1ACE
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_0540ED42 pushad ; ret 3_2_0540ED49
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_0540EDE2 pushfd ; ret 3_2_0540EE39
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060ACAEB pushad ; retf 3_2_060ACAEE
              Source: initial sampleStatic PE information: section name: q%KPt8wh entropy: 7.99963209397
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.399231289.0000000003271000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-2009-0476.exe PID: 6928, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: PO-2009-0476.exe, 00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: PO-2009-0476.exe, 00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\PO-2009-0476.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeWindow / User API: threadDelayed 737Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6920Thread sleep time: -56265s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 4876Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 5920Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6792Thread sleep count: 155 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6792Thread sleep count: 737 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -59314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -58406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -57314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -56594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -56188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -54688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -53906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -53282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -52814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -52594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -52406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -51500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -51094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -50594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -50406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -75000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -74250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -49314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -73641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -48906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -48406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -48188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -47314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -47094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -46906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -45594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -45188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -44906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -44500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -43594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -43406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -43000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -42814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -41688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -41406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -41188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -40814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -40594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -40094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -39500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -39314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -38406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -37688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -37314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -37094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -36594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -34906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -34688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -32188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -31000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -30814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -45891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -30406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -58906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -55906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -55000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -54594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -53500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -53094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -48594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -71250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -45094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -38688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -35188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -31906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -31688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -58094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exe TID: 6900Thread sleep time: -56500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\PO-2009-0476.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\PO-2009-0476.exeLast function: Thread delayed
              Source: PO-2009-0476.exe, 00000003.00000002.646776101.0000000000EFC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
              Source: PO-2009-0476.exe, 00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: PO-2009-0476.exe, 00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: PO-2009-0476.exe, 00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: PO-2009-0476.exe, 00000001.00000003.393986596.00000000038BF000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging:

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 1_2_01961780 CheckRemoteDebuggerPresent,1_2_01961780
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeCode function: 3_2_060AA2E8 LdrInitializeThunk,3_2_060AA2E8
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeMemory written: C:\Users\user\Desktop\PO-2009-0476.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess created: C:\Users\user\Desktop\PO-2009-0476.exe C:\Users\user\Desktop\PO-2009-0476.exeJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeProcess created: C:\Users\user\Desktop\PO-2009-0476.exe C:\Users\user\Desktop\PO-2009-0476.exeJump to behavior
              Source: PO-2009-0476.exe, 00000003.00000002.646974985.0000000001450000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: PO-2009-0476.exe, 00000003.00000002.646974985.0000000001450000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
              Source: PO-2009-0476.exe, 00000003.00000002.646974985.0000000001450000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: PO-2009-0476.exe, 00000003.00000002.646974985.0000000001450000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Users\user\Desktop\PO-2009-0476.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Users\user\Desktop\PO-2009-0476.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.647376168.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.647248034.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.645439188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.400883662.00000000042C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-2009-0476.exe PID: 6928, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-2009-0476.exe PID: 4900, type: MEMORY
              Source: Yara matchFile source: 3.2.PO-2009-0476.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\PO-2009-0476.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000003.00000002.647376168.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-2009-0476.exe PID: 4900, type: MEMORY

              Remote Access Functionality: