Play interactive tour

Edit tour

Analysis Report sample2.bin

Overview

General Information

Sample Name:	sample2.bin (renamed file extension from bin to exe)
Analysis ID:	339443
MD5:	b0f2d519ccae5bf1435264e0979770ce
SHA1:	212da7b3ed9c89d83941f6bb0dba889fa24f8f6a
SHA256:	a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

sample2.exe (PID: 7104 cmdline: 'C:\Users\user\Desktop\sample2.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)

sample2.exe (PID: 5652 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)

netsh.exe (PID: 2208 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nwama.exe (PID: 6508 cmdline: 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)

nwama.exe (PID: 7068 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)

netsh.exe (PID: 5780 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nwama.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)

nwama.exe (PID: 6592 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)

netsh.exe (PID: 5480 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "GILTzioSjfs2NDI", "URL: ": "http://eu0j0ejPMgs9.com", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "6QRSH5w5UD", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: sample2.exe PID: 7104	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: sample2.exe PID: 7104	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: sample2.exe PID: 5652	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: sample2.exe PID: 5652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nwama.exe PID: 6508	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: nwama.exe PID: 6508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nwama.exe PID: 6592	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: nwama.exe PID: 6592	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nwama.exe PID: 5848	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: nwama.exe PID: 5848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nwama.exe PID: 7068	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: nwama.exe PID: 7068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.sample2.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.nwama.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.nwama.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Capture Wi-Fi password

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\sample2.exe, ParentProcessId: 5652, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 2208

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: sample2.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Avira: detection malicious, Label: TR/Kryptik.bkfmg

Found malware configuration

Show sources

Source: sample2.exe.5652.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "GILTzioSjfs2NDI", "URL: ": "http://eu0j0ejPMgs9.com", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "6QRSH5w5UD", "From: ": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Metadefender: Detection: 25%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	ReversingLabs: Detection: 80%

Multi AV Scanner detection for submitted file

Show sources

Source: sample2.exe	Metadefender: Detection: 25%			Perma Link
Source: sample2.exe	ReversingLabs: Detection: 80%

Source: 1.2.sample2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.2.nwama.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.2.nwama.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05FF13C2 CryptUnprotectData,	1_2_05FF13C2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05FF1387 CryptUnprotectData,	1_2_05FF1387
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_05C11066 CryptUnprotectData,	11_2_05C11066
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_05C1102B CryptUnprotectData,	11_2_05C1102B

Source: sample2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sample2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://eu0j0ejPMgs9.com

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587

Source: Joe Sandbox View

IP Address: 208.91.198.143 208.91.198.143

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp, nwama.exe, 00000012.00000002.992391711.0000000002DDC000.00000004.00000001.sdmp	String found in binary or memory: http://eu0j0ejPMgs9.com
Source: sample2.exe, 00000001.00000003.724871830.00000000013B4000.00000004.00000001.sdmp	String found in binary or memory: http://eu0j0ejPMgs9.com3853321935-2125563209-4053062332-1002_Classes
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: sample2.exe, 00000000.00000003.645220057.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comep
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comg
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: sample2.exe, 00000000.00000003.645020096.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: sample2.exe, 00000000.00000003.647869153.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: sample2.exe, 00000000.00000003.648321789.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmltF1
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: sample2.exe, 00000000.00000003.648093017.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers;
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: sample2.exe, 00000000.00000003.649192807.0000000005045000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: sample2.exe, 00000000.00000003.647892711.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersZ
Source: sample2.exe, 00000000.00000003.647942862.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTFN
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsivFw
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueS
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comuec
Source: sample2.exe, 00000000.00000003.642777953.000000000502B000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: sample2.exe, 00000000.00000003.642811892.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicx
Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.cT
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn)
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnLog
Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnb
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnc
Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cns-m
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.m.
Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comK
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krrad
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krt
Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com.
Source: sample2.exe, 00000000.00000003.642940134.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comm
Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: sample2.exe, 00000000.00000003.643012662.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comnm.
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\sample2.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\sample2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\sample2.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large strings

Show sources

Source: sample2.exe, ClassCore.cs	Long String: Length: 86015
Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: nwama.exe.1.dr, ClassCore.cs	Long String: Length: 86015
Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs	Long String: Length: 86015

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D109DA NtQuerySystemInformation,	0_2_06D109DA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1086A NtQueryInformationProcess,	0_2_06D1086A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D10848 NtQueryInformationProcess,	0_2_06D10848
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1099F NtQuerySystemInformation,	0_2_06D1099F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B362 NtQuerySystemInformation,	1_2_0163B362
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B331 NtQuerySystemInformation,	1_2_0163B331
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A609DA NtQuerySystemInformation,	10_2_06A609DA
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6086A NtQueryInformationProcess,	10_2_06A6086A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6099F NtQuerySystemInformation,	10_2_06A6099F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A60848 NtQueryInformationProcess,	10_2_06A60848

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_00592379	0_2_00592379
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE2DC8	0_2_04DE2DC8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE45C0	0_2_04DE45C0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE25E8	0_2_04DE25E8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE0928	0_2_04DE0928
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE36D0	0_2_04DE36D0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEAE18	0_2_04DEAE18
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9A17	0_2_04DE9A17
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9C90	0_2_04DE9C90
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE44BB	0_2_04DE44BB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9CA0	0_2_04DE9CA0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5C70	0_2_04DE5C70
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5C60	0_2_04DE5C60
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6410	0_2_04DE6410
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6400	0_2_04DE6400
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6838	0_2_04DE6838
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE2555	0_2_04DE2555
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEA2F8	0_2_04DEA2F8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5EF8	0_2_04DE5EF8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEA2E7	0_2_04DEA2E7
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE1AE0	0_2_04DE1AE0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5298	0_2_04DE5298
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5288	0_2_04DE5288
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6678	0_2_04DE6678
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6669	0_2_04DE6669
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6230	0_2_04DE6230
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6220	0_2_04DE6220
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEDFD0	0_2_04DEDFD0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE33EF	0_2_04DE33EF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DECF50	0_2_04DECF50
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_00593EF3	0_2_00593EF3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_00EE2379	1_2_00EE2379
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E110	1_2_0592E110
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E940	1_2_0592E940
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05920006	1_2_05920006
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F770	1_2_0592F770
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E100	1_2_0592E100
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E8C0	1_2_0592E8C0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E930	1_2_0592E930
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592ED76	1_2_0592ED76
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592EDE3	1_2_0592EDE3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F760	1_2_0592F760
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F0AA	1_2_0592F0AA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AB0	1_2_06548AB0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06540717	1_2_06540717
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545F18	1_2_06545F18
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065483B8	1_2_065483B8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541C6F	1_2_06541C6F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545080	1_2_06545080
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06544948	1_2_06544948
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541E43	1_2_06541E43
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542E07	1_2_06542E07
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654863A	1_2_0654863A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654222D	1_2_0654222D
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065422D5	1_2_065422D5
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542EFA	1_2_06542EFA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541EEB	1_2_06541EEB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541E97	1_2_06541E97
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06547280	1_2_06547280
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542281	1_2_06542281
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543281	1_2_06543281
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542EA3	1_2_06542EA3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AAC	1_2_06548AAC
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AA9	1_2_06548AA9
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542B4F	1_2_06542B4F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06547378	1_2_06547378
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654236E	1_2_0654236E
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542710	1_2_06542710
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545F10	1_2_06545F10
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654331D	1_2_0654331D
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541FD8	1_2_06541FD8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065423C2	1_2_065423C2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542BFD	1_2_06542BFD
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542FED	1_2_06542FED
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542F96	1_2_06542F96
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541F84	1_2_06541F84
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542BA6	1_2_06542BA6
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542C54	1_2_06542C54
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543044	1_2_06543044
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545C43	1_2_06545C43
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654E848	1_2_0654E848
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545070	1_2_06545070
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542416	1_2_06542416
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548017	1_2_06548017
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654202C	1_2_0654202C
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065420D4	1_2_065420D4
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065464D8	1_2_065464D8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065430F2	1_2_065430F2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541CF3	1_2_06541CF3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065428EF	1_2_065428EF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541C9F	1_2_06541C9F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654309B	1_2_0654309B
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542080	1_2_06542080
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065424AF	1_2_065424AF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06540717	1_2_06540717
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542CAB	1_2_06542CAB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542D59	1_2_06542D59
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541D47	1_2_06541D47
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543149	1_2_06543149
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542D02	1_2_06542D02
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545102	1_2_06545102
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654393A	1_2_0654393A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542128	1_2_06542128
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065479F8	1_2_065479F8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065431E5	1_2_065431E5
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065479E7	1_2_065479E7
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541DEF	1_2_06541DEF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541D9B	1_2_06541D9B
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654258F	1_2_0654258F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542188	1_2_06542188
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542DB0	1_2_06542DB0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_00EE3EF3	1_2_00EE3EF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_007C2379	10_2_007C2379
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05010928	10_2_05010928
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012D88	10_2_05012D88
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050145C0	10_2_050145C0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050125E8	10_2_050125E8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019A17	10_2_05019A17
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501AE18	10_2_0501AE18
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050136D0	10_2_050136D0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015108	10_2_05015108
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012555	10_2_05012555
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05014591	10_2_05014591
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050125A1	10_2_050125A1
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012DC8	10_2_05012DC8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016400	10_2_05016400
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016410	10_2_05016410
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016839	10_2_05016839
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015C60	10_2_05015C60
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015C70	10_2_05015C70
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019C90	10_2_05019C90
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019CA0	10_2_05019CA0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050144BB	10_2_050144BB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050154F2	10_2_050154F2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501CF50	10_2_0501CF50
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501DFD0	10_2_0501DFD0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016220	10_2_05016220
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016230	10_2_05016230
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501666A	10_2_0501666A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016678	10_2_05016678
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015292	10_2_05015292
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015298	10_2_05015298
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05011AE0	10_2_05011AE0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501A2E7	10_2_0501A2E7
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501A2F8	10_2_0501A2F8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015EF8	10_2_05015EF8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_007C3EF3	10_2_007C3EF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_00AE2379	11_2_00AE2379
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8AB8	11_2_062A8AB8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A0717	11_2_062A0717
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A83C0	11_2_062A83C0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1C6F	11_2_062A1C6F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A5088	11_2_062A5088
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A4950	11_2_062A4950
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A222D	11_2_062A222D
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7A00	11_2_062A7A00
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2E07	11_2_062A2E07
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8642	11_2_062A8642
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1E43	11_2_062A1E43
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2EA3	11_2_062A2EA3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8AB4	11_2_062A8AB4
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7288	11_2_062A7288
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2281	11_2_062A2281
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3281	11_2_062A3281
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1E97	11_2_062A1E97
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1EEB	11_2_062A1EEB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2EFA	11_2_062A2EFA
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A22D5	11_2_062A22D5
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A331D	11_2_062A331D
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2710	11_2_062A2710
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A236E	11_2_062A236E
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2B4F	11_2_062A2B4F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2BA6	11_2_062A2BA6
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7380	11_2_062A7380
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1F84	11_2_062A1F84
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2F96	11_2_062A2F96
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2FED	11_2_062A2FED
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2BFD	11_2_062A2BFD
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A23C2	11_2_062A23C2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1FD8	11_2_062A1FD8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A202C	11_2_062A202C
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A801F	11_2_062A801F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2416	11_2_062A2416
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A5078	11_2_062A5078
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3044	11_2_062A3044
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062AE850	11_2_062AE850
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2C54	11_2_062A2C54
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2CAB	11_2_062A2CAB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A0717	11_2_062A0717
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A24AF	11_2_062A24AF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2080	11_2_062A2080
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A309B	11_2_062A309B
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1C9F	11_2_062A1C9F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A28EF	11_2_062A28EF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A64E0	11_2_062A64E0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A30F2	11_2_062A30F2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1CF3	11_2_062A1CF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A20D4	11_2_062A20D4
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2128	11_2_062A2128
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A393A	11_2_062A393A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A493F	11_2_062A493F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A510A	11_2_062A510A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2D02	11_2_062A2D02
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3149	11_2_062A3149
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1D47	11_2_062A1D47
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2D59	11_2_062A2D59
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2DB0	11_2_062A2DB0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2188	11_2_062A2188
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A258F	11_2_062A258F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1D9B	11_2_062A1D9B
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1DEF	11_2_062A1DEF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A79EF	11_2_062A79EF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A31E5	11_2_062A31E5
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_00AE3EF3	11_2_00AE3EF3

Source: sample2.exe	Binary or memory string: OriginalFilename vs sample2.exe
Source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDefender Protect.dllB vs sample2.exe
Source: sample2.exe, 00000000.00000000.641747188.0000000000592000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
Source: sample2.exe, 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
Source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs sample2.exe
Source: sample2.exe	Binary or memory string: OriginalFilename vs sample2.exe
Source: sample2.exe, 00000001.00000002.987673444.000000000044C000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
Source: sample2.exe, 00000001.00000002.987712878.0000000000EE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
Source: sample2.exe, 00000001.00000002.997574179.0000000005770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs sample2.exe
Source: sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
Source: sample2.exe, 00000001.00000002.999762206.00000000066D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs sample2.exe
Source: sample2.exe, 00000001.00000002.999470130.0000000006600000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs sample2.exe
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs sample2.exe
Source: sample2.exe	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe

Source: sample2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: sample2.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nwama.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.sample2.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.sample2.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 18.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/10@3/2

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1051A AdjustTokenPrivileges,	0_2_06D1051A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D104E3 AdjustTokenPrivileges,	0_2_06D104E3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B1E6 AdjustTokenPrivileges,	1_2_0163B1E6
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B1AF AdjustTokenPrivileges,	1_2_0163B1AF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6051A AdjustTokenPrivileges,	10_2_06A6051A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A604E3 AdjustTokenPrivileges,	10_2_06A604E3

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Mutant created: \Sessions\1\BaseNamedObjects\KXEawVjqkPnOFR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:900:120:WilError_01

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Temp\nwama

Jump to behavior

Source: sample2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\sample2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: sample2.exe	Metadefender: Detection: 25%
Source: sample2.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\sample2.exe

File read: C:\Users\user\Desktop\sample2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sample2.exe 'C:\Users\user\Desktop\sample2.exe'
Source: unknown	Process created: C:\Users\user\Desktop\sample2.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Users\user\Desktop\sample2.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Source: C:\Users\user\Desktop\sample2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: sample2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sample2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: sample2.exe, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: nwama.exe.1.dr, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE8872 push cs; retf	0_2_04DE8873
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE8B24 push esp; retf	0_2_04DE8B25
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654B3E0 push es; retf	1_2_0654E60C
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543E06 push es; ret	1_2_06543E08
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548575 pushfd ; ret	1_2_0654857E
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05018872 push cs; retf	10_2_05018873
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05018B24 push esp; retf	10_2_05018B25
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062AB3E8 push es; retf	11_2_062AE630
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A857B pushfd ; ret	11_2_062A8586

Source: initial sample	Static PE information: section name: .text entropy: 7.05584068406
Source: initial sample	Static PE information: section name: .text entropy: 7.05584068406

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sample2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwama			Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwama			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\sample2.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sample2.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection: