Loading ...

Play interactive tourEdit tour

Analysis Report PO-074-20-DM4.exe

Overview

General Information

Sample Name:PO-074-20-DM4.exe
Analysis ID:286361
MD5:04e761381caf955122a817f09ecb36b1
SHA1:37d443dd00b448a9661f7728a1c620729b10ddcf
SHA256:fc37e01bcc7919699ec81a825718d0639eaf85eef7e7b87111ff33b53fd09b0b
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • PO-074-20-DM4.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\PO-074-20-DM4.exe' MD5: 04E761381CAF955122A817F09ECB36B1)
    • PO-074-20-DM4.exe (PID: 1156 cmdline: C:\Users\user\Desktop\PO-074-20-DM4.exe MD5: 04E761381CAF955122A817F09ECB36B1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.504006983.0000000000152000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: PO-074-20-DM4.exe PID: 1156JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        19.2.PO-074-20-DM4.exe.150000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: PO-074-20-DM4.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO-074-20-DM4.exeVirustotal: Detection: 29%Perma Link
          Source: PO-074-20-DM4.exeReversingLabs: Detection: 43%
          Machine Learning detection for sampleShow sources
          Source: PO-074-20-DM4.exeJoe Sandbox ML: detected
          Source: PO-074-20-DM4.exe, 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: PO-074-20-DM4.exe, 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: g.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: PO-074-20-DM4.exe, 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmpString found in binary or memory: http://dPstTU.com
          Source: g.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
          Source: g.dll.1.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
          Source: g.dll.1.drString found in binary or memory: http://s2.symcb.com0
          Source: g.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
          Source: g.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
          Source: g.dll.1.drString found in binary or memory: http://sv.symcd.com0&
          Source: g.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: g.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: g.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: g.dll.1.drString found in binary or memory: http://www.symauth.com/cps0(
          Source: g.dll.1.drString found in binary or memory: http://www.symauth.com/rpa00
          Source: PO-074-20-DM4.exe, 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
          Source: PO-074-20-DM4.exe, 00000013.00000002.504006983.0000000000152000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
          Source: PO-074-20-DM4.exe, 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
          Source: g.dll.1.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: g.dll.1.drString found in binary or memory: https://d.symcb.com/rpa0
          Source: PO-074-20-DM4.exe, 00000013.00000002.504006983.0000000000152000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
          Source: PO-074-20-DM4.exe, 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

          System Summary:

          barindex
          .NET source code contains very large array initializationsShow sources
          Source: PO-074-20-DM4.exe, ?_3?0?u0024???2u0023?9u0028???6u00215u007b???4?u003e/??u003a53??u003fu002c?0???u002821u002b???6u007b??u0021?87?.csLarge array initialization: 6?????:4+?8??9(: array initializer size 123904
          Source: 1.0.PO-074-20-DM4.exe.c60000.0.unpack, ?_3?0?u0024???2u0023?9u0028???6u00215u007b???4?u003e/??u003a53??u003fu002c?0???u002821u002b???6u007b??u0021?87?.csLarge array initialization: 6?????:4+?8??9(: array initializer size 123904
          Source: 19.2.PO-074-20-DM4.exe.10000.0.unpack, ?_3?0?u0024???2u0023?9u0028???6u00215u007b???4?u003e/??u003a53??u003fu002c?0???u002821u002b???6u007b??u0021?87?.csLarge array initialization: 6?????:4+?8??9(: array initializer size 123904
          Source: 19.0.PO-074-20-DM4.exe.10000.0.unpack, ?_3?0?u0024???2u0023?9u0028???6u00215u007b???4?u003e/??u003a53??u003fu002c?0???u002821u002b???6u007b??u0021?87?.csLarge array initialization: 6?????:4+?8??9(: array initializer size 123904
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00A746A019_2_00A746A0
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00A735C419_2_00A735C4
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00A73D4219_2_00A73D42
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00A745B019_2_00A745B0
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00A7D2E019_2_00A7D2E0
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00A7539119_2_00A75391
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00A735B819_2_00A735B8
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_0575753019_2_05757530
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_0575691819_2_05756918
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_057590F019_2_057590F0
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_05756C6019_2_05756C60
          Source: PO-074-20-DM4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PO-074-20-DM4.exe, 00000001.00000000.239480632.0000000000C62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevee.exeX vs PO-074-20-DM4.exe
          Source: PO-074-20-DM4.exeBinary or memory string: OriginalFilename vs PO-074-20-DM4.exe
          Source: PO-074-20-DM4.exe, 00000013.00000002.511661326.00000000055F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO-074-20-DM4.exe
          Source: PO-074-20-DM4.exe, 00000013.00000002.503361330.0000000000012000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevee.exeX vs PO-074-20-DM4.exe
          Source: PO-074-20-DM4.exe, 00000013.00000002.504006983.0000000000152000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYzAUcjUWcLpUEzOVDwWzxSRxAkVREgVQNAn.exe4 vs PO-074-20-DM4.exe
          Source: PO-074-20-DM4.exeBinary or memory string: OriginalFilenamevee.exeX vs PO-074-20-DM4.exe
          Source: classification engineClassification label: mal84.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-074-20-DM4.exe.logJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeFile created: C:\Users\user\AppData\Local\Temp\b438b2b2-a27d-417f-8ec9-625540b311a1Jump to behavior
          Source: PO-074-20-DM4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: PO-074-20-DM4.exeVirustotal: Detection: 29%
          Source: PO-074-20-DM4.exeReversingLabs: Detection: 43%
          Source: unknownProcess created: C:\Users\user\Desktop\PO-074-20-DM4.exe 'C:\Users\user\Desktop\PO-074-20-DM4.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\PO-074-20-DM4.exe C:\Users\user\Desktop\PO-074-20-DM4.exe
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess created: C:\Users\user\Desktop\PO-074-20-DM4.exe C:\Users\user\Desktop\PO-074-20-DM4.exeJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PO-074-20-DM4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO-074-20-DM4.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: g.dll.1.dr
          Source: g.dll.1.drStatic PE information: section name: .didat
          Source: g.dll.1.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_0001442D push cs; retf 19_2_0001442F
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00012843 push 68BB0E69h; iretd 19_2_00012929
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00015A55 push FFFFFFBEh; retf 19_2_00015A62
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00015CA0 push 00000061h; retf 19_2_00015CAA
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00012CC4 push esp; rep ret 19_2_00012CC5
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00015758 push ebp; retf 19_2_00015760
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_0001317B push eax; ret 19_2_0001317C
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00015B9B push 6F666E49h; iretd 19_2_00015BA0
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_000143BC pushad ; retf 19_2_00014423
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_00015BE7 push edx; ret 19_2_00015BF7
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_006BD27C pushad ; ret 19_2_006BD27D
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_006BD25C push esp; ret 19_2_006BD25D
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_006BD31C pushfd ; ret 19_2_006BD31D
          Source: initial sampleStatic PE information: section name: .text entropy: 7.34032429843
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeFile created: C:\Users\user\AppData\Local\Temp\b438b2b2-a27d-417f-8ec9-625540b311a1\g.dllJump to dropped file
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeRDTSC instruction interceptor: First address: 0000000072F71D36 second address: 0000000072F72A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [72F853C0h], eax 0x00000020 mov dword ptr [72F853C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FADF0D3B8BBh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FADF0D3B8F6h 0x00000037 rdtsc
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeWindow / User API: threadDelayed 489Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 4548Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 5804Thread sleep count: 172 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 5948Thread sleep count: 57 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 5948Thread sleep count: 489 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 4520Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 344Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 420Thread sleep count: 222 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 420Thread sleep count: 277 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exe TID: 344Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeLast function: Thread delayed
          Source: PO-074-20-DM4.exe, 00000013.00000002.511661326.00000000055F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: PO-074-20-DM4.exe, 00000013.00000002.511661326.00000000055F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: PO-074-20-DM4.exe, 00000013.00000002.511661326.00000000055F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: PO-074-20-DM4.exe, 00000013.00000002.511661326.00000000055F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeProcess created: C:\Users\user\Desktop\PO-074-20-DM4.exe C:\Users\user\Desktop\PO-074-20-DM4.exeJump to behavior
          Source: PO-074-20-DM4.exe, 00000013.00000002.506743321.0000000000E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: PO-074-20-DM4.exe, 00000013.00000002.506743321.0000000000E80000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: PO-074-20-DM4.exe, 00000013.00000002.506743321.0000000000E80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: PO-074-20-DM4.exe, 00000013.00000002.506743321.0000000000E80000.00000002.00000001.sdmpBinary or memory string: jProgram Manager
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Users\user\Desktop\PO-074-20-DM4.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Users\user\Desktop\PO-074-20-DM4.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeCode function: 19_2_057563F4 GetUserNameW,19_2_057563F4
          Source: C:\Users\user\Desktop\PO-074-20-DM4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.504006983.0000000000152000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO-074-20-DM4.exe PID: 1156, type: MEMORY
          Source: Yara matchFile source: 19.2.PO-074-20-DM4.exe.150000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000013.00000002.507406786.0000000002411000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.504006983.0000000000152000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO-074-20-DM4.exe PID: 1156, type: MEMORY
          Source: Yara matchFile source: 19.2.PO-074-20-DM4.exe.150000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13LSASS MemoryVirtualization/Sandbox Evasion13Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery213Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.