Loading ...

Play interactive tourEdit tour

Analysis Report New PO #0164522433 JAN 2021.gz.exe

Overview

General Information

Sample Name:New PO #0164522433 JAN 2021.gz.exe
Analysis ID:339125
MD5:366c006291f6adb53ecdaa39bc1f3c24
SHA1:5bab58638bffd0b5933f2e266b6f689d9835a9e7
SHA256:43891ebd12a33234d3776da3e200f2d778cc1a169050f3db729ceb8838f0ebd1
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.578500355.0000000003443000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.572261277.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: New PO #0164522433 JAN 2021.gz.exeVirustotal: Detection: 23%Perma Link
              Machine Learning detection for sampleShow sources
              Source: New PO #0164522433 JAN 2021.gz.exeJoe Sandbox ML: detected
              Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: New PO #0164522433 JAN 2021.gz.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: New PO #0164522433 JAN 2021.gz.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: http://mWLzHd.com
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmp, New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.572261277.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.223823052.000000000132B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b79DC2F01u002dFAFFu002d4FF0u002dBA64u002dE3D4296BD410u007d/AACAB8EDu002d2C83u002d4858u002d8795u002dEEDB395CF94A.csLarge array initialization: .cctor: array initializer size 11780
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 1_2_00BA90131_2_00BA9013
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 1_2_030EC62C1_2_030EC62C
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 1_2_030EE8901_2_030EE890
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 1_2_030EE8A01_2_030EE8A0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_00F090132_2_00F09013
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_0149094E2_2_0149094E
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_01490F802_2_01490F80
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_0149A6022_2_0149A602
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_0149A2D02_2_0149A2D0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014C41002_2_014C4100
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014C62D02_2_014C62D0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014C06682_2_014C0668
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014C19B82_2_014C19B8
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014C8A482_2_014C8A48
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_015060682_2_01506068
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_015015002_2_01501500
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.223605162.0000000000C6C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventSourceException.exe@ vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.223823052.000000000132B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000000.222934806.0000000000FCC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventSourceException.exe@ vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.573629913.0000000001358000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.572733398.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exeBinary or memory string: OriginalFilenameEventSourceException.exe@ vs New PO #0164522433 JAN 2021.gz.exe
              Source: New PO #0164522433 JAN 2021.gz.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/1@0/0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO #0164522433 JAN 2021.gz.exe.logJump to behavior
              Source: New PO #0164522433 JAN 2021.gz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: New PO #0164522433 JAN 2021.gz.exeVirustotal: Detection: 23%
              Source: unknownProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe 'C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: New PO #0164522433 JAN 2021.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: New PO #0164522433 JAN 2021.gz.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: New PO #0164522433 JAN 2021.gz.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.New PO #0164522433 JAN 2021.gz.exe.ba0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.0.New PO #0164522433 JAN 2021.gz.exe.ba0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.New PO #0164522433 JAN 2021.gz.exe.f00000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.f00000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014908B8 pushad ; iretd 2_2_014908B9
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014908BA push esp; iretd 2_2_014908C1
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_01491B68 push ecx; retf 2_2_01491B6C
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014967A7 push edi; retn 0000h2_2_014967A9
              Source: initial sampleStatic PE information: section name: .text entropy: 7.28301049157
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 6120, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeWindow / User API: threadDelayed 1784Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeWindow / User API: threadDelayed 8073Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 2396Thread sleep time: -52827s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 2168Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 4464Thread sleep time: -15679732462653109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 4456Thread sleep count: 1784 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 4456Thread sleep count: 8073 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeCode function: 2_2_014C4100 LdrInitializeThunk,2_2_014C4100
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeJump to behavior
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.578500355.0000000003443000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.572261277.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 1288, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 6120, type: MEMORY
              Source: Yara matchFile source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 1288, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.578500355.0000000003443000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.572261277.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 1288, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 6120, type: MEMORY
              Source: Yara matchFile source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Input Capture1Virtualization/Sandbox Evasion13Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery114SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.