Loading ...

Play interactive tourEdit tour

Analysis Report file

Overview

General Information

Sample Name:file (renamed file extension from none to exe)
Analysis ID:339258
MD5:4014c919c4f26d8b5e72b255cffee0ab
SHA1:88a96eca36775921b5244f206ad461e761bc7a4a
SHA256:7b2e9f16b557d194f079e970dac923105073eb2aed4b63960c05d5c4bb816184
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)

Classification

Startup

  • System is w10x64
  • file.exe (PID: 1748 cmdline: 'C:\Users\user\Desktop\file.exe' MD5: 4014C919C4F26D8B5E72B255CFFEE0AB)
    • file.exe (PID: 4388 cmdline: {path} MD5: 4014C919C4F26D8B5E72B255CFFEE0AB)
    • file.exe (PID: 3336 cmdline: {path} MD5: 4014C919C4F26D8B5E72B255CFFEE0AB)
    • file.exe (PID: 2964 cmdline: {path} MD5: 4014C919C4F26D8B5E72B255CFFEE0AB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.239658084.0000000004259000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.238874071.0000000003251000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: file.exe PID: 1748JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: file.exe PID: 1748JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: file.exeReversingLabs: Detection: 48%
          Machine Learning detection for sampleShow sources
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_058C9690
          Source: global trafficTCP traffic: 192.168.2.5:49734 -> 31.209.137.12:587
          Source: Joe Sandbox ViewIP Address: 31.209.137.12 31.209.137.12
          Source: global trafficTCP traffic: 192.168.2.5:49734 -> 31.209.137.12:587
          Source: unknownDNS traffic detected: queries for: smtp.vivaldi.net
          Source: file.exe, 00000004.00000003.442698435.0000000000EB4000.00000004.00000001.sdmpString found in binary or memory: https://TNxeq3XdBc59HHjc.org1-5-21-3853321935-2125563209-4053062332-1002_Classes
          Source: file.exe, 00000001.00000002.239658084.0000000004259000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00ED8D5D1_2_00ED8D5D
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058C86581_2_058C8658
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058C0AE01_2_058C0AE0
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058C96901_2_058C9690
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058CA5381_2_058CA538
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058CA5481_2_058CA548
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058CA7E81_2_058CA7E8
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058C86481_2_058C8648
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058C0AD81_2_058C0AD8
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_058C96801_2_058C9680
          Source: C:\Users\user\Desktop\file.exeCode function: 2_2_001D8D5D2_2_001D8D5D
          Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00198D5D3_2_00198D5D
          Source: file.exe, 00000001.00000002.238189803.0000000000F6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen* vs file.exe
          Source: file.exe, 00000001.00000002.239658084.0000000004259000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs file.exe
          Source: file.exe, 00000001.00000002.239658084.0000000004259000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuggBMQjKJRafboxcRqYXLSnJpwaulyTJ.exe4 vs file.exe
          Source: file.exe, 00000001.00000002.238874071.0000000003251000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs file.exe
          Source: file.exe, 00000002.00000000.235109066.000000000026E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen* vs file.exe
          Source: file.exe, 00000003.00000002.236443893.000000000022E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen* vs file.exe
          Source: file.exe, 00000004.00000000.237225174.000000000092E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen* vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenamen* vs file.exe
          Source: file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 3.0.file.exe.190000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 3.0.file.exe.190000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 3.0.file.exe.190000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 2.2.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 2.2.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 2.2.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: file.exe, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: file.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: file.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 1.2.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 1.2.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 1.2.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 3.2.file.exe.190000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 3.2.file.exe.190000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 3.2.file.exe.190000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 1.0.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 1.0.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 1.0.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 2.0.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 2.0.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 2.0.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 4.0.file.exe.890000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 4.0.file.exe.890000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 4.0.file.exe.890000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@1/1
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: file.exeReversingLabs: Detection: 48%
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe 'C:\Users\user\Desktop\file.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe {path}
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: file.exe, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.file.exe.ed0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.file.exe.1d0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.file.exe.190000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.file.exe.190000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.file.exe.890000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xC0B97CD9 [Fri Jun 17 09:33:13 2072 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.8915177109
          Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000001.00000002.238874071.0000000003251000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 1748, type: MEMORY
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1308Jump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 8546Jump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 4616Thread sleep time: -31500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 5376Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 2900Thread sleep time: -18446744073709540s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 3552Thread sleep count: 1308 > 30Jump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 3552Thread sleep count: 8546 > 30Jump to behavior
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: file.exe, 00000001.00000002.238949637.00000000032CF000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000001.00000002.239658084.0000000004259000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 1748, type: MEMORY
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Tries to harvest and steal ftp login credentialsShow sources
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000001.00000002.239658084.0000000004259000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 1748, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection11Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing12Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet