Analysis Report list of P.O.exe

Overview

General Information

Sample Name: list of P.O.exe
Analysis ID: 326337
MD5: 4bc8c3c14ccfe94a9eea971644f48469
SHA1: 36c93a58dd879a3fc56c38297d05a5bcd89ea7e7
SHA256: a2b202778eb54dc48fd49a2f90b7e6619f20c6d0c907d386da68e9c32fbcb68c
Tags: AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: list of P.O.exe.6224.1.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "pPSkmfrJ9hO", "URL: ": "https://WMSJ15tuzJ0HQU3MhtVn.org", "To: ": "alex.zhang@sonoscepa.net", "ByHost: ": "smtp.sonoscepa.net:587", "Password: ": "gqxA9ZbxGmuCi", "From: ": "alex.zhang@sonoscepa.net"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe ReversingLabs: Detection: 25%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: list of P.O.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.list of P.O.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 8.2.newapp.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 4x nop then jmp 04E7AD15h 0_2_04E7AC75

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49755 -> 208.91.199.225:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49755 -> 208.91.199.225:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.225 208.91.199.225
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49755 -> 208.91.199.225:587
Source: unknown DNS traffic detected: queries for: smtp.sonoscepa.net
Source: list of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: list of P.O.exe, 00000001.00000002.928767416.000000000307C000.00000004.00000001.sdmp String found in binary or memory: http://smtp.sonoscepa.net
Source: list of P.O.exe, 00000001.00000002.928767416.000000000307C000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp String found in binary or memory: http://vkloll.com
Source: list of P.O.exe, 00000001.00000002.928802698.0000000003086000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.928753365.0000000003076000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.928675437.000000000303D000.00000004.00000001.sdmp String found in binary or memory: https://WMSJ15tuzJ0HQU3MhtVn.org
Source: newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: list of P.O.exe, 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, newapp.exe, 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: list of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: list of P.O.exe, newapp.exe, 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: list of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
.NET source code contains very large array initializations
Source: 1.2.list of P.O.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE872A713u002d3E8Cu002d484Eu002d94F8u002dC04E52E968DAu007d/u003818D8455u002d59A3u002d4094u002dB9D9u002d312F3F825297.cs Large array initialization: .cctor: array initializer size 11962
Source: 8.2.newapp.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE872A713u002d3E8Cu002d484Eu002d94F8u002dC04E52E968DAu007d/u003818D8455u002d59A3u002d4094u002dB9D9u002d312F3F825297.cs Large array initialization: .cctor: array initializer size 11962
.NET source code contains very large strings
Source: list of P.O.exe, MainModule.cs Long String: Length: 81136
Source: 0.0.list of P.O.exe.10000.0.unpack, MainModule.cs Long String: Length: 81136
Source: 0.2.list of P.O.exe.10000.0.unpack, MainModule.cs Long String: Length: 81136
Source: newapp.exe.1.dr, MainModule.cs Long String: Length: 81136
Source: 1.0.list of P.O.exe.850000.0.unpack, MainModule.cs Long String: Length: 81136
Source: 1.2.list of P.O.exe.850000.1.unpack, MainModule.cs Long String: Length: 81136
Source: 5.2.newapp.exe.670000.0.unpack, MainModule.cs Long String: Length: 81136
Source: 5.0.newapp.exe.670000.0.unpack, MainModule.cs Long String: Length: 81136
Source: 8.2.newapp.exe.4d0000.1.unpack, MainModule.cs Long String: Length: 81136
Source: 8.0.newapp.exe.4d0000.0.unpack, MainModule.cs Long String: Length: 81136
Detected potential crypto function
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_00A1A908 0_2_00A1A908
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_00A19A18 0_2_00A19A18
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_00A17F70 0_2_00A17F70
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_04E777E0 0_2_04E777E0
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_04E735FC 0_2_04E735FC
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_04E76E20 0_2_04E76E20
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_04E76E13 0_2_04E76E13
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_04E777D1 0_2_04E777D1
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 0_2_00019761 0_2_00019761
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_004055FC 1_2_004055FC
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011A46A0 1_2_011A46A0
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011A461A 1_2_011A461A
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011AD980 1_2_011AD980
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011E4880 1_2_011E4880
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011EBA30 1_2_011EBA30
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011E6E24 1_2_011E6E24
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011E9258 1_2_011E9258
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011E0040 1_2_011E0040
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_01253040 1_2_01253040
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_012592E8 1_2_012592E8
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_0125462C 1_2_0125462C
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_00859761 1_2_00859761
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 5_2_0294A908 5_2_0294A908
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 5_2_02947F70 5_2_02947F70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 5_2_02949CF0 5_2_02949CF0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 5_2_02946BC7 5_2_02946BC7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 5_2_00679761 5_2_00679761
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_026546A0 8_2_026546A0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_026545B0 8_2_026545B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0265D980 8_2_0265D980
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_004D9761 8_2_004D9761
Sample file is different than original file name gathered from version info
Source: list of P.O.exe, 00000000.00000002.674920597.0000000026280000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNT1.dll, vs list of P.O.exe
Source: list of P.O.exe, 00000000.00000000.661062926.00000000000B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDictionaryNode.exe@ vs list of P.O.exe
Source: list of P.O.exe, 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGlaxoSmithKline.dll@ vs list of P.O.exe
Source: list of P.O.exe, 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXZWRRXtkFEFbKFPTrQkenPzvprcODpESzrmrVO.exe4 vs list of P.O.exe
Source: list of P.O.exe Binary or memory string: OriginalFilename vs list of P.O.exe
Source: list of P.O.exe, 00000001.00000002.927586303.0000000001200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs list of P.O.exe
Source: list of P.O.exe, 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameXZWRRXtkFEFbKFPTrQkenPzvprcODpESzrmrVO.exe4 vs list of P.O.exe
Source: list of P.O.exe, 00000001.00000000.667728980.00000000008F2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDictionaryNode.exe@ vs list of P.O.exe
Source: list of P.O.exe, 00000001.00000002.926535911.0000000000CF8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs list of P.O.exe
Source: list of P.O.exe, 00000001.00000002.932653118.0000000005FC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs list of P.O.exe
Source: list of P.O.exe Binary or memory string: OriginalFilenameDictionaryNode.exe@ vs list of P.O.exe
Source: list of P.O.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: newapp.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1.2.list of P.O.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.list of P.O.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.newapp.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.newapp.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/4@2/1
Source: C:\Users\user\Desktop\list of P.O.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\list of P.O.exe.log Jump to behavior
Source: list of P.O.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\list of P.O.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\list of P.O.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\list of P.O.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File read: C:\Users\user\Desktop\list of P.O.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\list of P.O.exe 'C:\Users\user\Desktop\list of P.O.exe'
Source: unknown Process created: C:\Users\user\Desktop\list of P.O.exe C:\Users\user\Desktop\list of P.O.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: C:\Users\user\Desktop\list of P.O.exe Process created: C:\Users\user\Desktop\list of P.O.exe C:\Users\user\Desktop\list of P.O.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: list of P.O.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: list of P.O.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_00FBE38A push eax; ret 1_2_00FBE349
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_00FBD95C push eax; ret 1_2_00FBD95D
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_00FBE332 push eax; ret 1_2_00FBE349
Source: C:\Users\user\Desktop\list of P.O.exe Code function: 1_2_011EB250 pushfd ; retf 1_2_011EB251
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 5_2_0294003C push eax; iretd 5_2_0294004A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 5_2_02941C97 push ebx; iretd 5_2_02941CA6
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_00B3D95C push eax; ret 8_2_00B3D95D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_00B3E348 push eax; ret 8_2_00B3E349
Source: initial sample Static PE information: section name: .text entropy: 6.95700056065
Source: initial sample Static PE information: section name: .text entropy: 6.95700056065

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\list of P.O.exe File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe Jump to dropped file
Source: C:\Users\user\Desktop\list of P.O.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\list of P.O.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.669167585.00000000023E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: list of P.O.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6516, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\list of P.O.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\list of P.O.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: list of P.O.exe, 00000000.00000002.669167585.00000000023E1000.00000004.00000001.sdmp, newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: list of P.O.exe, 00000000.00000002.669167585.00000000023E1000.00000004.00000001.sdmp, newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\list of P.O.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\list of P.O.exe Window / User API: threadDelayed 1373 Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Window / User API: threadDelayed 8470 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Window / User API: threadDelayed 3821 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Window / User API: threadDelayed 6002 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\list of P.O.exe TID: 7160 Thread sleep time: -53447s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe TID: 5744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe TID: 3980 Thread sleep time: -19369081277395017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe TID: 4420 Thread sleep count: 1373 > 30 Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe TID: 4420 Thread sleep count: 8470 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 6524 Thread sleep time: -49943s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 6632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 4600 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 4600 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1504 Thread sleep count: 3821 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1504 Thread sleep count: 6002 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\list of P.O.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\list of P.O.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp Binary or memory string: vmware
Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\list of P.O.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\list of P.O.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\list of P.O.exe Memory written: C:\Users\user\Desktop\list of P.O.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\list of P.O.exe Process created: C:\Users\user\Desktop\list of P.O.exe C:\Users\user\Desktop\list of P.O.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe Jump to behavior
Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmp Binary or memory string: Progman
Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Users\user\Desktop\list of P.O.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Users\user\Desktop\list of P.O.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6816, type: MEMORY
Source: Yara match File source: Process Memory Space: list of P.O.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6516, type: MEMORY
Source: Yara match File source: Process Memory Space: list of P.O.exe PID: 6224, type: MEMORY
Source: Yara match File source: 8.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.list of P.O.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\list of P.O.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\list of P.O.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6816, type: MEMORY
Source: Yara match File source: Process Memory Space: list of P.O.exe PID: 6224, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6816, type: MEMORY
Source: Yara match File source: Process Memory Space: list of P.O.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6516, type: MEMORY
Source: Yara match File source: Process Memory Space: list of P.O.exe PID: 6224, type: MEMORY
Source: Yara match File source: 8.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.list of P.O.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326337 Sample: list of P.O.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Yara detected AgentTesla 2->43 45 7 other signatures 2->45 6 list of P.O.exe 1 2->6         started        10 newapp.exe 1 2->10         started        12 newapp.exe 2->12         started        process3 file4 21 C:\Users\user\AppData\...\list of P.O.exe.log, ASCII 6->21 dropped 47 Injects a PE file into a foreign processes 6->47 14 list of P.O.exe 2 5 6->14         started        49 Multi AV Scanner detection for dropped file 10->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->51 53 Machine Learning detection for dropped file 10->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->55 19 newapp.exe 2 10->19         started        signatures5 process6 dnsIp7 27 smtp.sonoscepa.net 14->27 29 us2.smtp.mailhostbox.com 208.91.199.225, 49755, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 23 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->23 dropped 25 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->25 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file access) 14->33 35 Tries to harvest and steal ftp login credentials 14->35 37 2 other signatures 14->37 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.199.225
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.225 true
smtp.sonoscepa.net unknown unknown