Analysis Report FYI.exe

Overview

General Information

Sample Name: FYI.exe
Analysis ID: 339364
MD5: 4768fad22f989c9ac940775ca46f91f6
SHA1: 78f2e47fbcd50d77b8c0ea5e07209a2b1a79c45e
SHA256: 275b79db451178b96e4872f9164b8b89f25a5f22ff8ba5f983d555cb3972a95d
Tags: exe

Most interesting Screenshot:

Detection

AgentTesla
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: FYI.exe Virustotal: Detection: 28% Perma Link
Source: FYI.exe ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: FYI.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: FYI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: FYI.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb4 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb& source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ole32.pdbp source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: ility.pdbn source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: rsaenh.pdb> source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: ~IC:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: clrjit.pdbD source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbH source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbv source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
Source: Binary string: FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: WLDP.pdb\ source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb* source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER7630.tmp.dmp.4.dr
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdb`i source: WER7630.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDSD source: WER7630.tmp.dmp.4.dr
Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbz source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdbN source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.354082981.00000000007B3000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: wUxTheme.pdb8 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ore.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbt source: WER7630.tmp.dmp.4.dr
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdbP source: WER7630.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: j,C:\Windows\System.pdb source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: FYI.exe, 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\FYI.exe Code function: 0_2_001A9013 0_2_001A9013
Source: C:\Users\user\Desktop\FYI.exe Code function: 0_2_00A2C62C 0_2_00A2C62C
Source: C:\Users\user\Desktop\FYI.exe Code function: 0_2_00A2E8A0 0_2_00A2E8A0
Source: C:\Users\user\Desktop\FYI.exe Code function: 0_2_00A2E890 0_2_00A2E890
Source: C:\Users\user\Desktop\FYI.exe Code function: 0_2_057B491D 0_2_057B491D
Source: C:\Users\user\Desktop\FYI.exe Code function: 0_2_057B0BD8 0_2_057B0BD8
Source: C:\Users\user\Desktop\FYI.exe Code function: 0_2_057B0BC9 0_2_057B0BC9
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1160
PE file contains strange resources
Source: FYI.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: FYI.exe, 00000000.00000000.335501038.000000000027F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameELEMDESC.exe@ vs FYI.exe
Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoapName.dll2 vs FYI.exe
Source: FYI.exe, 00000000.00000002.420908205.0000000005720000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePositiveSign.dll< vs FYI.exe
Source: FYI.exe, 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemtIhhvyBlBQJqvuFVfaUQvZuNNNzVTchmZnhg.exe4 vs FYI.exe
Source: FYI.exe Binary or memory string: OriginalFilenameELEMDESC.exe@ vs FYI.exe
Uses 32bit PE files
Source: FYI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal76.troj.evad.winEXE@2/4@0/1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7630.tmp Jump to behavior
Source: FYI.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FYI.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: FYI.exe Virustotal: Detection: 28%
Source: FYI.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\FYI.exe File read: C:\Users\user\Desktop\FYI.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FYI.exe 'C:\Users\user\Desktop\FYI.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1160
Source: C:\Users\user\Desktop\FYI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: FYI.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: FYI.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb4 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb& source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ole32.pdbp source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: ility.pdbn source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: rsaenh.pdb> source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: ~IC:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: clrjit.pdbD source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbH source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbv source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
Source: Binary string: FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: WLDP.pdb\ source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb* source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER7630.tmp.dmp.4.dr
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdb`i source: WER7630.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDSD source: WER7630.tmp.dmp.4.dr
Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbz source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdbN source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.354082981.00000000007B3000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: wUxTheme.pdb8 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: ore.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbt source: WER7630.tmp.dmp.4.dr
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdbP source: WER7630.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: j,C:\Windows\System.pdb source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: FYI.exe, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.FYI.exe.1a0000.0.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.FYI.exe.1a0000.0.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: initial sample Static PE information: section name: .text entropy: 7.25136431131

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FYI.exe PID: 7132, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\FYI.exe TID: 7136 Thread sleep time: -51794s >= -30000s Jump to behavior
Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp Binary or memory string: vmware
Source: WerFault.exe, 00000004.00000002.404531746.0000000004867000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000004.00000003.370449184.00000000048D4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\FYI.exe Memory allocated: page read and write | page guard Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FYI.exe Queries volume information: C:\Users\user\Desktop\FYI.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FYI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FYI.exe PID: 7132, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FYI.exe PID: 7132, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339364 Sample: FYI.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 76 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected AgentTesla 2->18 20 Yara detected AntiVM_3 2->20 22 3 other signatures 2->22 6 FYI.exe 2 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started        dnsIp5 14 192.168.2.1 unknown unknown 8->14 12 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 8->12 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1