Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.BehavesLike.Win32.Generic.cc.14146

Overview

General Information

Sample Name:SecuriteInfo.com.BehavesLike.Win32.Generic.cc.14146 (renamed file extension from 14146 to exe)
Analysis ID:339176
MD5:b232b5c7754d932b07c0d47f934efbfe
SHA1:7c3d92552f6ebab8956727beecaac5d22c87a55b
SHA256:3311cea59262b019a69fb72b72a36fc8e55d48a0f14f853b3a52fc8740542e99
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0AGywGPT", "URL: ": "https://wV71njTiOcKvohmw.org", "To: ": "0012@dividekings.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "qOQRsCQgut", "From: ": "0012@dividekings.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.3152.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0AGywGPT", "URL: ": "https://wV71njTiOcKvohmw.org", "To: ": "0012@dividekings.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "qOQRsCQgut", "From: ": "0012@dividekings.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeReversingLabs: Detection: 19%
              Machine Learning detection for sampleShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJoe Sandbox ML: detected
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05C1B540
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05C1B550
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 4x nop then jmp 05C1A974h0_2_05C1A8F4

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://wV71njTiOcKvohmw.org
              Source: global trafficTCP traffic: 192.168.2.4:49778 -> 199.193.7.228:587
              Source: Joe Sandbox ViewIP Address: 199.193.7.228 199.193.7.228
              Source: global trafficTCP traffic: 192.168.2.4:49778 -> 199.193.7.228:587
              Source: unknownDNS traffic detected: queries for: smtp.privateemail.com
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://MLrjrg.com
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1002690754.0000000006D80000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000003.887543787.00000000014E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1002690754.0000000006D80000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998907100.0000000001433000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.use3
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000661830.000000000341B000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000649442.0000000003414000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000003.868064909.0000000001264000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000469332.00000000033A0000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://wV71njTiOcKvohmw.org
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.665794787.0000000000CFB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b49EBC49Du002dB1B3u002d4ED6u002dA41Au002d329378617F94u007d/u0031A3AC0E6u002d0D4Cu002d475Fu002dB7A0u002dA416DBBA91DC.csLarge array initialization: .cctor: array initializer size 11960
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111C62C0_2_0111C62C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111E8900_2_0111E890
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111E89F0_2_0111E89F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111E8A00_2_0111E8A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C1BE3C0_2_05C1BE3C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C16DC80_2_05C16DC8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C16DB80_2_05C16DB8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C10B590_2_05C10B59
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C10B680_2_05C10B68
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012469283_2_01246928
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012400403_2_01240040
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0124BCF03_2_0124BCF0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_01248E383_2_01248E38
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012460143_2_01246014
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012454903_2_01245490
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012448D83_2_012448D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012422203_2_01242220
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_016A48003_2_016A4800
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_016A47103_2_016A4710
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_016AD8B03_2_016AD8B0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065207713_2_06520771
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_06524B903_2_06524B90
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065230183_2_06523018
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652A4083_2_0652A408
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652C0083_2_0652C008
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652DC383_2_0652DC38
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065290F03_2_065290F0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065253303_2_06525330
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065253D03_2_065253D0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065290903_2_06529090
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000000.648544028.0000000000612000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.665794787.0000000000CFB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUwmOHHBDnoPggABxzNSakYVEIeLLIDPrAYZ.exe4 vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000002.00000002.662707396.0000000000042000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998225577.0000000000C72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUwmOHHBDnoPggABxzNSakYVEIeLLIDPrAYZ.exe4 vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999048731.0000000001580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998362641.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998855821.000000000140A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@2/1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.logJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeReversingLabs: Detection: 19%
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.610000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.610000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.40000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.40000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.0.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.c70000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.c70000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: initial sampleStatic PE information: section name: .text entropy: 7.3067407255
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindow / User API: threadDelayed 8319Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindow / User API: threadDelayed 1531Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 3788Thread sleep time: -54102s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 6336Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 6400Thread sleep time: -17524406870024063s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 5644Thread sleep count: 8319 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 5644Thread sleep count: 1531 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998907100.0000000001433000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652C008 LdrInitializeThunk,3_2_0652C008
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152, type: MEMORY
              Source: Yara matchFile source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152, type: MEMORY
              Source: Yara matchFile source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Input Capture111Security Software Discovery211Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion13SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 339176