Loading ...

Play interactive tourEdit tour

Analysis Report New PO #0164522433 JAN 2021.exe

Overview

General Information

Sample Name:New PO #0164522433 JAN 2021.exe
Analysis ID:339371
MD5:1cbe8e5ddca661fc3239ffcb3b44b1db
SHA1:1cc2dd369304b5ad81113b06cf7f73c75226cc4e
SHA256:8ca38b4cf8849e7b7d18cc8afdae915c4dedc2f5aaca4b9a4fd57bdfd5e25a25
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.618884067.00000000033E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: New PO #0164522433 JAN 2021.exeVirustotal: Detection: 39%Perma Link
              Source: New PO #0164522433 JAN 2021.exeReversingLabs: Detection: 15%
              Machine Learning detection for sampleShow sources
              Source: New PO #0164522433 JAN 2021.exeJoe Sandbox ML: detected
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://mWLzHd.com
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: New PO #0164522433 JAN 2021.exeString found in binary or memory: http://tempuri.org/_391backDataSet.xsd
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618697950.00000000033B8000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b79DC2F01u002dFAFFu002d4FF0u002dBA64u002dE3D4296BD410u007d/AACAB8EDu002d2C83u002d4858u002d8795u002dEEDB395CF94A.csLarge array initialization: .cctor: array initializer size 11780
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254C2B00_2_0254C2B0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254F71F0_2_0254F71F
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254F7200_2_0254F720
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_025499680_2_02549968
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0033283A0_2_0033283A
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_014F46A04_2_014F46A0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_014F45D04_2_014F45D0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C94F84_2_064C94F8
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C75404_2_064C7540
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C69284_2_064C6928
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C6C704_2_064C6C70
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064CF9794_2_064CF979
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D3283A4_2_00D3283A
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: OriginalFilename vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.268791635.00000000059D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.260948979.000000000038E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVariant.exe: vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: OriginalFilename vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000000.259895284.0000000000D8E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVariant.exe: vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.615294523.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.616795158.0000000001508000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.615692206.0000000000FC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: OriginalFilenameVariant.exe: vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/1@0/0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO #0164522433 JAN 2021.exe.logJump to behavior
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Customer] SET [Address] = @Address, [Postal_Code] = @Postal_Code, [Country] = @Country, [C_ID] = @C_ID, [C_City] = @C_City, [C_Phone] = @C_Phone WHERE (((@IsNull_Address = 1 AND [Address] IS NULL) OR ([Address] = @Original_Address)) AND ((@IsNull_Postal_Code = 1 AND [Postal_Code] IS NULL) OR ([Postal_Code] = @Original_Postal_Code)) AND ((@IsNull_Country = 1 AND [Country] IS NULL) OR ([Country] = @Original_Country)) AND ([C_ID] = @Original_C_ID) AND ((@IsNull_C_City = 1 AND [C_City] IS NULL) OR ([C_City] = @Original_C_City)) AND ((@IsNull_C_Phone = 1 AND [C_Phone] IS NULL) OR ([C_Phone] = @Original_C_Phone)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Invoice] ([C_ID], [INV_ID], [M_ID], [Services_Cost], [Inv_Date], [Electr_Cost], [Water_Cost], [Total_Cost]) VALUES (@C_ID, @INV_ID, @M_ID, @Services_Cost, @Inv_Date, @Electr_Cost, @Water_Cost, @Total_Cost);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Payment_Method] ([M_ID], [Method]) VALUES (@M_ID, @Method);
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Room_Type] ([TYPE_ID], [Name], [Description]) VALUES (@TYPE_ID, @Name, @Description); SELECT TYPE_ID, Name, Des
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Payment_Method] ([M_ID], [Method]) VALUES (@M_ID, @Method); SELECT M_ID, Method FROM Payment_Method WHERE (M_ID
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Services] ([Price], [Name], [Description], [Serv_Date], [S_ID]) VALUES (@Price, @Name, @Description, @Serv_Date, @S_ID);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Customer] ([Address], [Postal_Code], [Country], [C_ID], [C_City], [C_Phone]) VALUES (@Address, @Postal_Code, @Country, @C_ID, @C_City, @C_Phone);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Invoice] SET [C_ID] = @C_ID, [INV_ID] = @INV_ID, [M_ID] = @M_ID, [Services_Cost] = @Services_Cost, [Inv_Date] = @Inv_Date, [Electr_Cost] = @Electr_Cost, [Water_Cost] = @Water_Cost, [Total_Cost] = @Total_Cost WHERE (((@IsNull_C_ID = 1 AND [C_ID] IS NULL) OR ([C_ID] = @Original_C_ID)) AND ([INV_ID] = @Original_INV_ID) AND ((@IsNull_M_ID = 1 AND [M_ID] IS NULL) OR ([M_ID] = @Original_M_ID)) AND ((@IsNull_Services_Cost = 1 AND [Services_Cost] IS NULL) OR ([Services_Cost] = @Original_Services_Cost)) AND ((@IsNull_Inv_Date = 1 AND [Inv_Date] IS NULL) OR ([Inv_Date] = @Original_Inv_Date)) AND ((@IsNull_Electr_Cost = 1 AND [Electr_Cost] IS NULL) OR ([Electr_Cost] = @Original_Electr_Cost)) AND ((@IsNull_Water_Cost = 1 AND [Water_Cost] IS NULL) OR ([Water_Cost] = @Original_Water_Cost)) AND ((@IsNull_Total_Cost = 1 AND [Total_Cost] IS NULL) OR ([Total_Cost] = @Original_Total_Cost)));
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Person] ([First_Name], [Last_Name], [SIN]) VALUES (@First_Name, @Last_Name, @SIN); SELECT First_Name, Last_Name
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Person] SET [First_Name] = @First_Name, [Last_Name] = @Last_Name, [SIN] = @SIN WHERE (((@IsNull_First_Name = 1 AND [First_Name] IS NULL) OR ([First_Name] = @Original_First_Name)) AND ((@IsNull_Last_Name = 1 AND [Last_Name] IS NULL) OR ([Last_Name] = @Original_Last_Name)) AND ([SIN] = @Original_SIN));
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Employee] ([E_ID], [Position]) VALUES (@E_ID, @Position); SELECT E_ID, Position FROM Employee WHERE (E_ID = @E_
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Employee] ([E_ID], [Position]) VALUES (@E_ID, @Position);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Payment_Method] SET [M_ID] = @M_ID, [Method] = @Method WHERE (([M_ID] = @Original_M_ID) AND ((@IsNull_Method = 1 AND [Method] IS NULL) OR ([Method] = @Original_Method)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Rooms] SET [R_ID] = @R_ID, [Price] = @Price, [Smoking_Allowed] = @Smoking_Allowed, [Description] = @Description, [Num_Of_Beds] = @Num_Of_Beds, [Floor] = @Floor WHERE (([R_ID] = @Original_R_ID) AND ((@IsNull_Price = 1 AND [Price] IS NULL) OR ([Price] = @Original_Price)) AND ((@IsNull_Smoking_Allowed = 1 AND [Smoking_Allowed] IS NULL) OR ([Smoking_Allowed] = @Original_Smoking_Allowed)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_Num_Of_Beds = 1 AND [Num_Of_Beds] IS NULL) OR ([Num_Of_Beds] = @Original_Num_Of_Beds)) AND ((@IsNull_Floor = 1 AND [Floor] IS NULL) OR ([Floor] = @Original_Floor)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Room_Type] SET [TYPE_ID] = @TYPE_ID, [Name] = @Name, [Description] = @Description WHERE (([TYPE_ID] = @Original_TYPE_ID) AND ((@IsNull_Name = 1 AND [Name] IS NULL) OR ([Name] = @Original_Name)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Reservation] SET [C_ID] = @C_ID, [Date] = @Date, [RES_ID] = @RES_ID, [R_ID] = @R_ID, [Check_Out_Time] = @Check_Out_Time, [Check_In_Time] = @Check_In_Time WHERE (((@IsNull_C_ID = 1 AND [C_ID] IS NULL) OR ([C_ID] = @Original_C_ID)) AND ((@IsNull_Date = 1 AND [Date] IS NULL) OR ([Date] = @Original_Date)) AND ([RES_ID] = @Original_RES_ID) AND ((@IsNull_R_ID = 1 AND [R_ID] IS NULL) OR ([R_ID] = @Original_R_ID)) AND ((@IsNull_Check_Out_Time = 1 AND [Check_Out_Time] IS NULL) OR ([Check_Out_Time] = @Original_Check_Out_Time)) AND ((@IsNull_Check_In_Time = 1 AND [Check_In_Time] IS NULL) OR ([Check_In_Time] = @Original_Check_In_Time)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Employee] SET [E_ID] = @E_ID, [Position] = @Position WHERE (([E_ID] = @Original_E_ID) AND ((@IsNull_Position = 1 AND [Position] IS NULL) OR ([Position] = @Original_Position)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Services] SET [Price] = @Price, [Name] = @Name, [Description] = @Description, [Serv_Date] = @Serv_Date, [S_ID] = @S_ID WHERE (((@IsNull_Price = 1 AND [Price] IS NULL) OR ([Price] = @Original_Price)) AND ((@IsNull_Name = 1 AND [Name] IS NULL) OR ([Name] = @Original_Name)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_Serv_Date = 1 AND [Serv_Date] IS NULL) OR ([Serv_Date] = @Original_Serv_Date)) AND ([S_ID] = @Original_S_ID));
              Source: New PO #0164522433 JAN 2021.exeVirustotal: Detection: 39%
              Source: New PO #0164522433 JAN 2021.exeReversingLabs: Detection: 15%
              Source: unknownProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe 'C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: New PO #0164522433 JAN 2021.exeStatic file information: File size 1116160 > 1048576
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10fe00
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: New PO #0164522433 JAN 2021.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.New PO #0164522433 JAN 2021.exe.320000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.New PO #0164522433 JAN 2021.exe.320000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.New PO #0164522433 JAN 2021.exe.d20000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.New PO #0164522433 JAN 2021.exe.d20000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_003314B6 push 73000004h; retf 0_2_00331E2D
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0032DD3E push 6F060001h; iretd 0_2_0032DD52
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0032FB28 push 73000004h; retf 0_2_0032FB55
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_003307D0 push 73000004h; retf 0_2_003307DA
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254446B push edi; ret 0_2_02544482
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_025453D1 push esi; ret 0_2_025453D6
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D314B6 push 73000004h; retf 4_2_00D31E2D
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D2DD3E push 6F060001h; iretd 4_2_00D2DD52
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D307D0 push 73000004h; retf 4_2_00D307DA
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D2FB28 push 73000004h; retf 4_2_00D2FB55
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_0141D95C push eax; ret 4_2_0141D95D
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_0141E333 push eax; ret 4_2_0141E349
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064CA61F push es; iretd 4_2_064CA63C
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C8540 push es; ret 4_2_064C8550
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064CF979 push es; retf 4_2_064CFD98
              Source: initial sampleStatic PE information: section name: .text entropy: 7.08708553211
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4392, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWindow / User API: threadDelayed 1032Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWindow / User API: threadDelayed 8813Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 4632Thread sleep time: -53038s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 1236Thread sleep time: -21213755684765971s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 6012Thread sleep count: 1032 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 6012Thread sleep count: 8813 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeJump to behavior
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C5D44 GetUserNameW,4_2_064C5D44
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.618884067.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4400, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4392, type: MEMORY
              Source: Yara matchFile source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4400, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.618884067.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4400, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4392, type: MEMORY
              Source: Yara matchFile source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13LSASS MemoryVirtualization/Sandbox Evasion13Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.