Play interactive tour

Edit tour

Analysis Report JUST1F1.tar

Overview

General Information

Sample Name:	JUST1F1.tar
Analysis ID:	338154
MD5:	68bfcb37e51bc06b0f9b776ad69c9575
SHA1:	11f8c44f9c1d466def73c75149a661aa2cf71dfd
SHA256:	d23f969ae26972088e1ec2c404edfb95add9b3a67be616fedd1ee0fef7cba287
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

unarchiver.exe (PID: 5780 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\JUST1F1.tar' MD5: 8B435F8731563566F3F49203BA277865)

7za.exe (PID: 6104 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg' 'C:\Users\user\Desktop\JUST1F1.tar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2856 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

JUST1F1.exe (PID: 6840 cmdline: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe MD5: 1B05FB33C53270DB133E7E7830CDA935)

JUST1F1.exe (PID: 6516 cmdline: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe MD5: 1B05FB33C53270DB133E7E7830CDA935)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "uhV8VNpzP", "URL: ": "http://RmfrFmh6Ec0Y1.com", "To: ": "", "ByHost: ": "smtp.1and1.es:587", "Password: ": "Cxvu3Va", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.675383386.0000000004481000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.989247161.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: JUST1F1.exe PID: 6840	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: JUST1F1.exe PID: 6840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: JUST1F1.exe PID: 6516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: JUST1F1.exe PID: 6516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.JUST1F1.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: JUST1F1.exe.6516.6.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "uhV8VNpzP", "URL: ": "http://RmfrFmh6Ec0Y1.com", "To: ": "", "ByHost: ": "smtp.1and1.es:587", "Password: ": "Cxvu3Va", "From: ": ""}

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Joe Sandbox ML: detected

Source: 6.2.JUST1F1.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:

Binary string: mscorrc.pdb source: JUST1F1.exe, 00000005.00000002.676091893.0000000005710000.00000002.00000001.sdmp, JUST1F1.exe, 00000006.00000002.989933486.0000000001500000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 0181097Fh
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 0181097Eh
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 0181097Eh
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://RmfrFmh6Ec0Y1.com

Source: global traffic

TCP traffic: 192.168.2.4:49774 -> 212.227.15.142:587

Source: Joe Sandbox View

IP Address: 212.227.15.142 212.227.15.142

Source: global traffic

TCP traffic: 192.168.2.4:49774 -> 212.227.15.142:587

Source: unknown

DNS traffic detected: queries for: smtp.1and1.es

Source: JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: http://RmfrFmh6Ec0Y1.com
Source: JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: http://RmfrFmh6Ec0Y1.comLE
Source: JUST1F1.exe, 00000006.00000002.990692781.000000000345C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
Source: JUST1F1.exe, 00000006.00000002.990692781.000000000345C000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
Source: JUST1F1.exe, 00000006.00000002.990692781.000000000345C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: JUST1F1.exe, 00000006.00000002.990692781.000000000345C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: http://qphjuU.com
Source: JUST1F1.exe, 00000006.00000002.990692781.000000000345C000.00000004.00000001.sdmp	String found in binary or memory: http://status.geotrust.com0=
Source: JUST1F1.exe, 00000006.00000002.990692781.000000000345C000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: JUST1F1.exe, 00000005.00000002.675383386.0000000004481000.00000004.00000001.sdmp, JUST1F1.exe, 00000006.00000002.989247161.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unarchiver.exe, 00000000.00000002.677946184.0000000001400000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 6.2.JUST1F1.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A82A344u002d7631u002d4D01u002dB6C2u002d4D7CCC0A813Cu007d/u0032382CB16u002d27B1u002d493Au002dA31Cu002d9967CBD8A2C7.cs

Large array initialization: .cctor: array initializer size 11927

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_018102A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_01810299
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_013228A4
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_01336484
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA1074
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FAA608
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA5BF2
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA17B0
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA17A0
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA1478
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA1468
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA4C50
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA844B
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA4C40
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_015D1D00
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_0543E138
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_0543D9E0
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_0543B7A0
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05438C40
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05430A98
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05438BE0
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05DDE9C8
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05DD91B0
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05DDCDA4
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05DDE570
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05DD3F11
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_05DD5A10

Source: JUST1F1.tar

Binary or memory string: OriginalFilenameUIPermissionClipboard.exe* vs JUST1F1.tar

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Section loaded: security.dll

Source: 6.2.JUST1F1.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.JUST1F1.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winTAR@11/4@1/1

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JUST1F1.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:864:120:WilError_01

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\4uifd5lh.jpu

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\JUST1F1.tar'
Source: unknown	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg' 'C:\Users\user\Desktop\JUST1F1.tar'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg' 'C:\Users\user\Desktop\JUST1F1.tar'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process created: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:

Binary string: mscorrc.pdb source: JUST1F1.exe, 00000005.00000002.676091893.0000000005710000.00000002.00000001.sdmp, JUST1F1.exe, 00000006.00000002.989933486.0000000001500000.00000002.00000001.sdmp

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xC023C5A7 [Wed Feb 24 20:03:51 2072 UTC]

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_0133840C push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_02FA9E64 push 02FAh; iretd
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_0543BB38 pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 6_2_0543CCF8 push esp; iretd

Source: initial sample

Static PE information: section name: .text entropy: 7.38023666029

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JUST1F1.exe PID: 6840, type: MEMORY

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Function Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,memAlloc,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: JUST1F1.exe, 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: JUST1F1.exe, 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Windows\SysWOW64\unarchiver.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Window / User API: threadDelayed 877

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 6364	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 6824	Thread sleep time: -50650s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 6388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 7000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 7000	Thread sleep count: 877 > 30
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 7000	Thread sleep time: -26310000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 7000	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe TID: 7000	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_013DB042 GetSystemInfo,

Source: JUST1F1.exe, 00000006.00000002.989813861.0000000001248000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSUY6
Source: JUST1F1.exe, 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: JUST1F1.exe, 00000006.00000002.992224555.0000000005640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: JUST1F1.exe, 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: JUST1F1.exe, 00000006.00000002.992224555.0000000005640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: JUST1F1.exe, 00000006.00000002.992224555.0000000005640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: JUST1F1.exe, 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: JUST1F1.exe, 00000006.00000002.989795749.0000000001225000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW"
Source: JUST1F1.exe, 00000005.00000002.674029983.000000000140B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: JUST1F1.exe, 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: JUST1F1.exe, 00000006.00000002.992224555.0000000005640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Code function: 6_2_0543BD08 LdrInitializeThunk,

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Memory written: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe base: 400000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg' 'C:\Users\user\Desktop\JUST1F1.tar'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Process created: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Source: JUST1F1.exe, 00000006.00000002.990020762.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: JUST1F1.exe, 00000006.00000002.990020762.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: JUST1F1.exe, 00000006.00000002.990020762.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: JUST1F1.exe, 00000006.00000002.990020762.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.675383386.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.989247161.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JUST1F1.exe PID: 6840, type: MEMORY
Source: Yara match	File source: Process Memory Space: JUST1F1.exe PID: 6516, type: MEMORY
Source: Yara match	File source: 6.2.JUST1F1.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JUST1F1.exe PID: 6516, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.675383386.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.989247161.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JUST1F1.exe PID: 6840, type: MEMORY
Source: Yara match	File source: Process Memory Space: JUST1F1.exe PID: 6516, type: MEMORY
Source: Yara match	File source: 6.2.JUST1F1.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_03020A8E listen,
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_03020E9E bind,
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_03020A50 CreateMutexW,listen,
Source: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	Code function: 5_2_03020E6B bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping2	System Information Discovery115	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information1	Input Capture1	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Credentials in Registry1	Security Software Discovery211	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Virtualization/Sandbox Evasion13	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.JUST1F1.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://qphjuU.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://RmfrFmh6Ec0Y1.com	0%	Avira URL Cloud	safe
http://RmfrFmh6Ec0Y1.comLE	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.1and1.es	212.227.15.142	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://RmfrFmh6Ec0Y1.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://qphjuU.com	JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://RmfrFmh6Ec0Y1.comLE	JUST1F1.exe, 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	JUST1F1.exe, 00000005.00000002.675383386.0000000004481000.00000004.00000001.sdmp, JUST1F1.exe, 00000006.00000002.989247161.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.227.15.142	unknown	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338154
Start date:	11.01.2021
Start time:	18:19:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	JUST1F1.tar
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winTAR@11/4@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0%) Quality average: 0% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .tar
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 67.27.157.126, 67.26.83.254, 67.26.73.254, 8.248.117.254, 8.248.115.254 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:20:07	API Interceptor	1234x Sleep call for process: JUST1F1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
212.227.15.142	Fizetesi felszolitas.tar	Get hash	malicious	Browse
	Orden de pago BBVA.exe	Get hash	malicious	Browse
	PAP001.exe	Get hash	malicious	Browse
	Paketdetails.exe	Get hash	malicious	Browse
	PAG0.exe	Get hash	malicious	Browse
	b6Sq4e2cn7.exe	Get hash	malicious	Browse
	h41lD1yljY.exe	Get hash	malicious	Browse
	CHBhXBQny7.exe	Get hash	malicious	Browse
	V796UGDxjs.exe	Get hash	malicious	Browse
	http://www.mediafire.com/file/f28ppsxzjuy1xsb/UPSRO+2809203321.7z/file	Get hash	malicious	Browse
	https://www.mediafire.com/file/que9zdctac0t9w8/Cerere_de_achizitie.7z/file	Get hash	malicious	Browse
	Eyl#U00fcl Al#U0131m#U0131.exe	Get hash	malicious	Browse
	Urun Detaylari.exe	Get hash	malicious	Browse
	Olaganustu odeme.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.1and1.es	Fizetesi felszolitas.exe	Get hash	malicious	Browse	212.227.15.158
	Fizetesi felszolitas.tar	Get hash	malicious	Browse	212.227.15.142
	Orden de pago BBVA.exe	Get hash	malicious	Browse	212.227.15.142
	P0.exe	Get hash	malicious	Browse	212.227.15.158
	RtjTx7D1TN.exe	Get hash	malicious	Browse	212.227.15.158
	Odeme talimati.exe	Get hash	malicious	Browse	212.227.15.158
	PAP001.exe	Get hash	malicious	Browse	212.227.15.142
	Paketdetails.exe	Get hash	malicious	Browse	212.227.15.142
	71220 33922.tar	Get hash	malicious	Browse	212.227.15.158
	71220 33922.exe	Get hash	malicious	Browse	212.227.15.158
	71220 33922.exe	Get hash	malicious	Browse	212.227.15.158
	PAG0.exe	Get hash	malicious	Browse	212.227.15.142
	bTe4j4LGwM.exe	Get hash	malicious	Browse	212.227.15.158
	25BWkjzJzs.exe	Get hash	malicious	Browse	212.227.15.142
	b6Sq4e2cn7.exe	Get hash	malicious	Browse	212.227.15.142
	TRANS11.exe	Get hash	malicious	Browse	212.227.15.158
	h41lD1yljY.exe	Get hash	malicious	Browse	212.227.15.142
	tHI1XuJZbs.exe	Get hash	malicious	Browse	212.227.15.158
	CHBhXBQny7.exe	Get hash	malicious	Browse	212.227.15.142
	ERteds4p1u.exe	Get hash	malicious	Browse	212.227.15.158

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	Fizetesi felszolitas.exe	Get hash	malicious	Browse	212.227.15.158
	Fizetesi felszolitas.tar	Get hash	malicious	Browse	212.227.15.142
	Orden de pago BBVA.exe	Get hash	malicious	Browse	212.227.15.142
	details.html	Get hash	malicious	Browse	195.20.250.196
	Scan_23748991000.exe	Get hash	malicious	Browse	74.208.5.15
	rtgs_pdf.exe	Get hash	malicious	Browse	217.160.0.163
	details.html	Get hash	malicious	Browse	195.20.250.196
	Nuevo pedido.exe	Get hash	malicious	Browse	217.160.0.168
	https://veringer.com/wp-includes/wwii11/GXQb6HLGz4AV965RfN9795cyETWfmdzBUarzFg4YkqaJnfdTD/	Get hash	malicious	Browse	217.76.132.244
	r8a97.exe	Get hash	malicious	Browse	82.165.152.127
	Nuevo pedido.exe	Get hash	malicious	Browse	217.160.0.168
	KI2011-2982..exe	Get hash	malicious	Browse	74.208.5.15
	Documentation__EG382U8V.doc	Get hash	malicious	Browse	217.160.0.215
	Documentation__EG382U8V.doc	Get hash	malicious	Browse	217.160.0.215
	Documentation__EG382U8V.doc	Get hash	malicious	Browse	217.160.0.215
	https://j.mp/3rJBANn	Get hash	malicious	Browse	74.208.236.92
	http://murari.es/wp-content/h	Get hash	malicious	Browse	217.76.142.236
	rib.exe	Get hash	malicious	Browse	74.208.236.219
	xLH4kwOjXR.exe	Get hash	malicious	Browse	82.165.103.72
	order FTH2004-005.exe	Get hash	malicious	Browse	217.160.0.163

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JUST1F1.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	916
Entropy (8bit):	5.282390836641403
Encrypted:	false
SSDEEP:	24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
MD5:	5AD8E7ABEADADAC4CE06FF693476581A
SHA1:	81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
SHA-256:	BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
SHA-512:	7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.2529463157768355
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk7v:MLF20NaL329hJ5g522r0
MD5:	FF3B761A021930205BEC9D7664AE9258
SHA1:	1039D595C6333358D5F7EE5619FE6794E6F5FDB1
SHA-256:	A3517BC4B1E6470905F9A38466318B302186496E8706F1976F1ED76F3E87AF0F
SHA-512:	1E77D09CF965575EF9800B1EE8947A02D98F88DBFA267300330860757A0C7350AF857A2CB7001C49AFF1F5BD1E0AE6E90F643B27054522CADC730DD14BC3DE11
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\4uifd5lh.jpu\unarchiver.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1560
Entropy (8bit):	5.059587217820517
Encrypted:	false
SSDEEP:	48:LNlxgGcGbcGcGpqG37GcGpvmGbmGqmG0G7GrG7GcGBGcGrGPghW:LNlE5Qap
MD5:	824CDF1B4684C4CF1BEC917679BAF98A
SHA1:	D184864005E8304628B5949F990A1F3DD5AA369F
SHA-256:	4481B92210DAE130EE619D13A22481114F0068197A59FE1C3D1846ED6935CA69
SHA-512:	4EC38C0F96032E36712777FF4AC161BFF7492FA5B02109436EBF845FED48F5D1BBFEB32C1B1260DD3B76144CC5218CADDE7AD37946AD43EFB381594CE4851DC6
Malicious:	false
Reputation:	low
Preview:	01/11/2021 6:19 PM: Unpack: C:\Users\user\Desktop\JUST1F1.tar..01/11/2021 6:19 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg..01/11/2021 6:19 PM: Received from standard out: ..01/11/2021 6:19 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/11/2021 6:19 PM: Received from standard out: ..01/11/2021 6:19 PM: Received from standard out: Scanning the drive for archives:..01/11/2021 6:19 PM: Received from standard out: 1 file, 911872 bytes (891 KiB)..01/11/2021 6:19 PM: Received from standard out: ..01/11/2021 6:19 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\JUST1F1.tar..01/11/2021 6:19 PM: Received from standard out: --..01/11/2021 6:19 PM: Received from standard out: Path = C:\Users\user\Desktop\JUST1F1.tar..01/11/2021 6:19 PM: Received from standard out: Type = tar..01/11/2021 6:19 PM: Received from standard out: Physical Size = 911872..01/11/2021 6:19 PM: Received from standard out: He

C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe Download File
Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	910336
Entropy (8bit):	7.409563180880888
Encrypted:	false
SSDEEP:	12288:dG9cmhhfemqz0BNY+bbYYa40blz56HRkVHsxiqqcCoPN/NOAJcEAKImNdY:w9cUQSml9SRkOxi7cCmXcExNO
MD5:	1B05FB33C53270DB133E7E7830CDA935
SHA1:	87DA85A3BA7369E684C4120F2329F09BB86CDAC2
SHA-256:	4339850F60524D4FC4E157D7CDF156400DB803219CAC6D9768CED6BE90925089
SHA-512:	CD25D29E9D27F627E28C75260D0834331D24B63DF70AC8CF48455B25D164D111FB7590CCE5D1ECEE334C65EDE80159F5077A433E59867D368D85C199CD1D554D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#...............P..F...........e... ........@.. .......................@............@..................................e..O.......p.................... ......de............................................... ............... ..H............text....E... ...F.................. ..`.rsrc...p............H..............@..@.reloc....... ......................@..B.................e......H........W...............q...............................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+..&..(2.......0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....

Static File Info

General
File type:	tar archive
Entropy (8bit):	7.403765894301429
TrID:
File name:	JUST1F1.tar
File size:	911872
MD5:	68bfcb37e51bc06b0f9b776ad69c9575
SHA1:	11f8c44f9c1d466def73c75149a661aa2cf71dfd
SHA256:	d23f969ae26972088e1ec2c404edfb95add9b3a67be616fedd1ee0fef7cba287
SHA512:	56f42eff4ccbf2ff98115b4f550330c869f60c29b3a875b77d46b839b210ec5d458b8872c908a1fc2497ccffa646f31c2f62ae193f8e64b34e4c98be479bc6dc
SSDEEP:	12288:hG9cmhhfemqz0BNY+bbYYa40blz56HRkVHsxiqqcCoPN/NOAJcEAKImNdY:E9cUQSml9SRkOxi7cCmXcExNO
File Content Preview:	JUST1F1.exe.........................................................................................0000755.0000000.0000000.00003362000.13776772021.0006350.0..................................................................................................

File Icon


Icon Hash:	00828e8e8686b000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 18:21:41.031100988 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.077652931 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.077934980 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.126873970 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.127340078 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.173743963 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.173787117 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.174185991 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.221072912 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.273782015 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.283530951 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.332076073 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.332127094 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.332159996 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.332247019 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.336798906 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.338429928 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.383433104 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.383656979 CET	49774	587	192.168.2.4	212.227.15.142
Jan 11, 2021 18:21:41.384968042 CET	587	49774	212.227.15.142	192.168.2.4
Jan 11, 2021 18:21:41.385193110 CET	49774	587	192.168.2.4	212.227.15.142

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 18:19:53.576391935 CET	49910	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:53.624532938 CET	53	49910	8.8.8.8	192.168.2.4
Jan 11, 2021 18:19:54.360508919 CET	55854	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:54.408507109 CET	53	55854	8.8.8.8	192.168.2.4
Jan 11, 2021 18:19:55.196389914 CET	64549	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:55.244462013 CET	53	64549	8.8.8.8	192.168.2.4
Jan 11, 2021 18:19:56.216443062 CET	63153	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:56.264246941 CET	53	63153	8.8.8.8	192.168.2.4
Jan 11, 2021 18:19:57.198611021 CET	52991	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:57.246454000 CET	53	52991	8.8.8.8	192.168.2.4
Jan 11, 2021 18:19:58.011183023 CET	53700	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:58.067666054 CET	53	53700	8.8.8.8	192.168.2.4
Jan 11, 2021 18:19:58.818234921 CET	51726	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:58.874752045 CET	53	51726	8.8.8.8	192.168.2.4
Jan 11, 2021 18:19:59.698775053 CET	56794	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:19:59.746836901 CET	53	56794	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:00.689452887 CET	56534	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:00.737524986 CET	53	56534	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:01.667010069 CET	56627	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:01.718202114 CET	53	56627	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:02.429788113 CET	56621	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:02.480901957 CET	53	56621	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:03.408637047 CET	63116	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:03.457479000 CET	53	63116	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:18.306932926 CET	64078	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:18.357745886 CET	53	64078	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:21.521223068 CET	64801	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:21.596088886 CET	53	64801	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:35.791552067 CET	61721	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:35.868052006 CET	53	61721	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:36.415021896 CET	51255	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:36.465821981 CET	53	51255	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:37.034991980 CET	61522	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:37.096507072 CET	53	61522	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:37.500098944 CET	52337	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:37.628593922 CET	53	52337	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:37.673626900 CET	55046	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:37.745455980 CET	53	55046	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:38.076317072 CET	49612	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:38.132837057 CET	53	49612	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:38.651369095 CET	49285	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:38.707897902 CET	53	49285	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:39.245394945 CET	50601	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:39.296252012 CET	53	50601	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:40.020983934 CET	60875	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:40.080224991 CET	53	60875	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:40.840991974 CET	56448	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:40.889153004 CET	53	56448	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:41.338118076 CET	59172	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:41.397372961 CET	53	59172	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:43.018860102 CET	62420	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:43.066968918 CET	53	62420	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:53.537053108 CET	60579	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:53.585367918 CET	53	60579	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:53.592798948 CET	50183	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:53.649717093 CET	53	50183	8.8.8.8	192.168.2.4
Jan 11, 2021 18:20:56.472029924 CET	61531	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:20:56.532886982 CET	53	61531	8.8.8.8	192.168.2.4
Jan 11, 2021 18:21:27.536237001 CET	49228	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:21:27.587044954 CET	53	49228	8.8.8.8	192.168.2.4
Jan 11, 2021 18:21:29.377300024 CET	59794	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:21:29.441731930 CET	53	59794	8.8.8.8	192.168.2.4
Jan 11, 2021 18:21:40.953511953 CET	55916	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:21:41.011940956 CET	53	55916	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 11, 2021 18:21:40.953511953 CET	192.168.2.4	8.8.8.8	0x2d38	Standard query (0)	smtp.1and1.es	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 11, 2021 18:21:41.011940956 CET	8.8.8.8	192.168.2.4	0x2d38	No error (0)	smtp.1and1.es		212.227.15.142	A (IP address)	IN (0x0001)
Jan 11, 2021 18:21:41.011940956 CET	8.8.8.8	192.168.2.4	0x2d38	No error (0)	smtp.1and1.es		212.227.15.158	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2021 18:21:41.126873970 CET	587	49774	212.227.15.142	192.168.2.4	220 kundenserver.de (mreue011) Nemesis ESMTP Service ready
Jan 11, 2021 18:21:41.127340078 CET	49774	587	192.168.2.4	212.227.15.142	EHLO 910646
Jan 11, 2021 18:21:41.173787117 CET	587	49774	212.227.15.142	192.168.2.4	250-kundenserver.de Hello 910646 [84.17.52.74] 250-8BITMIME 250-AUTH LOGIN PLAIN 250-SIZE 140000000 250 STARTTLS
Jan 11, 2021 18:21:41.174185991 CET	49774	587	192.168.2.4	212.227.15.142	STARTTLS
Jan 11, 2021 18:21:41.221072912 CET	587	49774	212.227.15.142	192.168.2.4	220 OK

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exe PID: 5780 Parent PID: 5952

General

Start time:	18:19:57
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\JUST1F1.tar'
Imagebase:	0xe00000
File size:	10240 bytes
MD5 hash:	8B435F8731563566F3F49203BA277865
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: 7za.exe PID: 6104 Parent PID: 5780

General

Start time:	18:19:57
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg' 'C:\Users\user\Desktop\JUST1F1.tar'
Imagebase:	0x50000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5576 Parent PID: 6104

General

Start time:	18:19:58
Start date:	11/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2856 Parent PID: 5780

General

Start time:	18:19:58
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 864 Parent PID: 2856

General

Start time:	18:19:59
Start date:	11/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: JUST1F1.exe PID: 6840 Parent PID: 2856

General

Start time:	18:19:59
Start date:	11/01/2021
Path:	C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Imagebase:	0xc50000
File size:	910336 bytes
MD5 hash:	1B05FB33C53270DB133E7E7830CDA935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.675383386.0000000004481000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.674621864.0000000003481000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: JUST1F1.exe PID: 6516 Parent PID: 6840

General

Start time:	18:20:08
Start date:	11/01/2021
Path:	C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\jwzcmshk.kmg\JUST1F1.exe
Imagebase:	0xa50000
File size:	910336 bytes
MD5 hash:	1B05FB33C53270DB133E7E7830CDA935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.990481761.0000000003331000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.989247161.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report JUST1F1.tar

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: unarchiver.exe PID: 5780 Parent PID: 5952

General

Analysis Process: 7za.exe PID: 6104 Parent PID: 5780

General

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre