Loading ...

Play interactive tourEdit tour

Analysis Report New FedEx paper work review.exe

Overview

General Information

Sample Name:New FedEx paper work review.exe
Analysis ID:339030
MD5:c359c954a7d104b0a1bde867f86e73a5
SHA1:e647c8aa88a7209463b0dd0daa733759a529806d
SHA256:306602e7317841b219d25b24ca14f9e50987fe9c9e48b3728bb548dea4557f9d
Tags:AgentTeslaexeFedEx

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "mRy89v", "URL: ": "https://jeQsgpMQfgg21VTI.net", "To: ": "recieve@resulthome.xyz", "ByHost: ": "mail.privateemail.com:587", "Password: ": "HXIEqtBQ5tSBy", "From: ": "recieve@resulthome.xyz"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.1026177897.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.677503823.0000000004271000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.New FedEx paper work review.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: New FedEx paper work review.exe.3912.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "mRy89v", "URL: ": "https://jeQsgpMQfgg21VTI.net", "To: ": "recieve@resulthome.xyz", "ByHost: ": "mail.privateemail.com:587", "Password: ": "HXIEqtBQ5tSBy", "From: ": "recieve@resulthome.xyz"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: New FedEx paper work review.exeVirustotal: Detection: 30%Perma Link
              Source: New FedEx paper work review.exeReversingLabs: Detection: 25%
              Machine Learning detection for sampleShow sources
              Source: New FedEx paper work review.exeJoe Sandbox ML: detected
              Source: 1.2.New FedEx paper work review.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: New FedEx paper work review.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: New FedEx paper work review.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05D0E610

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://jeQsgpMQfgg21VTI.net
              Source: global trafficTCP traffic: 192.168.2.4:49768 -> 198.54.122.60:587
              Source: Joe Sandbox ViewIP Address: 198.54.122.60 198.54.122.60
              Source: global trafficTCP traffic: 192.168.2.4:49768 -> 198.54.122.60:587
              Source: unknownDNS traffic detected: queries for: mail.privateemail.com
              Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://TSGxUW.com
              Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: New FedEx paper work review.exe, 00000001.00000002.1028955305.00000000031C8000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
              Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://jeQsgpMQfgg21VTI.net
              Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: New FedEx paper work review.exe, 00000000.00000002.677503823.0000000004271000.00000004.00000001.sdmp, New FedEx paper work review.exe, 00000001.00000002.1026177897.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Spam, unwanted Advertisements and Ransom Demands:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 1.2.New FedEx paper work review.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF4DCDF25u002d48D6u002d47F9u002dA17Au002d5021C92BDF87u007d/ADFED8F4u002d7DE1u002d4966u002dA323u002d08CADB54027F.csLarge array initialization: .cctor: array initializer size 11966
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_00E06DB90_2_00E06DB9
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_031EDB4C0_2_031EDB4C
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_031EC3A00_2_031EC3A0
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_031EE2110_2_031EE211
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_031EA7580_2_031EA758
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_031EF8380_2_031EF838
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_031EF8280_2_031EF828
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_05D036580_2_05D03658
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_05D096700_2_05D09670
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_05D096630_2_05D09663
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_05D036680_2_05D03668
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 0_2_05D04B220_2_05D04B22
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0138B6981_2_0138B698
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0138665C1_2_0138665C
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013970201_2_01397020
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0139A0C81_2_0139A0C8
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013924C01_2_013924C0
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013947381_2_01394738
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013931511_2_01393151
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0139318A1_2_0139318A
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013931E31_2_013931E3
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0139E8201_2_0139E820
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013933311_2_01393331
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013933161_2_01393316
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013933B71_2_013933B7
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013933831_2_01393383
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0139323A1_2_0139323A
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0139321C1_2_0139321C
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013962981_2_01396298
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0139328D1_2_0139328D
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013932DE1_2_013932DE
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013935101_2_01393510
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_01399CB01_2_01399CB0
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_0139349B1_2_0139349B
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013934E01_2_013934E0
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_01396F801_2_01396F80
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013D5D381_2_013D5D38
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013D08281_2_013D0828
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013DAF981_2_013DAF98
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013DD2501_2_013DD250
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013DC6481_2_013DC648
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013D71281_2_013D7128
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013DA3201_2_013DA320
              Source: New FedEx paper work review.exe, 00000000.00000002.680228549.0000000006400000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesrfpYaXxCpIvMvkSQOGVRoHtylIkrSAz.exe4 vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000000.00000002.674710371.0000000000EB8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStreamTokenReader.exe8 vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000001.00000002.1030749233.00000000061C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000001.00000002.1027347384.0000000001310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000001.00000002.1026177897.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesrfpYaXxCpIvMvkSQOGVRoHtylIkrSAz.exe4 vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000001.00000000.674014837.0000000000AE8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStreamTokenReader.exe8 vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exe, 00000001.00000002.1026413397.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exeBinary or memory string: OriginalFilenameStreamTokenReader.exe8 vs New FedEx paper work review.exe
              Source: New FedEx paper work review.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: New FedEx paper work review.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 1.2.New FedEx paper work review.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.New FedEx paper work review.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/2@1/1
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New FedEx paper work review.exe.logJump to behavior
              Source: New FedEx paper work review.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: New FedEx paper work review.exeVirustotal: Detection: 30%
              Source: New FedEx paper work review.exeReversingLabs: Detection: 25%
              Source: unknownProcess created: C:\Users\user\Desktop\New FedEx paper work review.exe 'C:\Users\user\Desktop\New FedEx paper work review.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\New FedEx paper work review.exe C:\Users\user\Desktop\New FedEx paper work review.exe
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess created: C:\Users\user\Desktop\New FedEx paper work review.exe C:\Users\user\Desktop\New FedEx paper work review.exeJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: New FedEx paper work review.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: New FedEx paper work review.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_013DFC10 pushfd ; iretd 1_2_013DFC61
              Source: initial sampleStatic PE information: section name: .text entropy: 7.44963037864
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New FedEx paper work review.exe PID: 5956, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWindow / User API: threadDelayed 992Jump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWindow / User API: threadDelayed 8862Jump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 4600Thread sleep time: -54070s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 4600Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 6480Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 5768Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 2440Thread sleep count: 992 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 2440Thread sleep count: 8862 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeCode function: 1_2_01397020 LdrInitializeThunk,1_2_01397020
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\New FedEx paper work review.exeProcess created: C:\Users\user\Desktop\New FedEx paper work review.exe C:\Users\user\Desktop\New FedEx paper work review.exeJump to behavior
              Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progmanlock