Analysis Report lNCyFjhn7M

Overview

General Information

Sample Name: lNCyFjhn7M (renamed file extension from none to exe)
Analysis ID: 356766
MD5: 1ad8213451de5daa4ad536cd9c70e9ce
SHA1: 62c394dfc3094044454f0d25775ca87e6749787e
SHA256: 152dabf84b039a8c1412d8dea323051ee96b1696c3e551a049801c8a320d23e7
Tags: AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: lNCyFjhn7M.exe.7036.1.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "E943pmspWkN", "URL: ": "https://femFzmplqt.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "RgZuUQv5z", "From: ": ""}
Multi AV Scanner detection for submitted file
Source: lNCyFjhn7M.exe Metadefender: Detection: 21% Perma Link
Source: lNCyFjhn7M.exe ReversingLabs: Detection: 62%
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: lNCyFjhn7M.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: lNCyFjhn7M.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: mscorrc.pdb source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 4x nop then jmp 04E0BB61h 0_2_04E0B8D1
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04E0BEE0
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04E0BED0

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://femFzmplqt.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49751 -> 66.70.204.222:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 66.70.204.222 66.70.204.222
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49751 -> 66.70.204.222:587
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_0117A09A recv, 1_2_0117A09A
Source: unknown DNS traffic detected: queries for: mail.hybridgroupco.com
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp String found in binary or memory: http://cfWnht.com
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp String found in binary or memory: https://femFzmplqt.net
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
.NET source code contains very large array initializations
Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2541D03Bu002dC05Au002d4A3Bu002dB0FDu002d61EAF17A97E9u007d/u0034E1BA1C7u002d80DBu002d446Bu002d895Cu002d57E0865F0350.cs Large array initialization: .cctor: array initializer size 11963
.NET source code contains very large strings
Source: lNCyFjhn7M.exe, Form1.cs Long String: Length: 13656
Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs Long String: Length: 13656
Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs Long String: Length: 13656
Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, Form1.cs Long String: Length: 13656
Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, Form1.cs Long String: Length: 13656
Contains functionality to call native functions
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_0117B0BA NtQuerySystemInformation, 1_2_0117B0BA
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_0117B089 NtQuerySystemInformation, 1_2_0117B089
Detected potential crypto function
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E03850 0_2_04E03850
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E03648 0_2_04E03648
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E0AF90 0_2_04E0AF90
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E09F70 0_2_04E09F70
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E04529 0_2_04E04529
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E04538 0_2_04E04538
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E042F0 0_2_04E042F0
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E042DF 0_2_04E042DF
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E0424D 0_2_04E0424D
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E03638 0_2_04E03638
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E09F61 0_2_04E09F61
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E00A28 0_2_04E00A28
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_04E00A18 0_2_04E00A18
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_012B4060 1_2_012B4060
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_012BA27A 1_2_012BA27A
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_012B6B48 1_2_012B6B48
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_012B5244 1_2_012B5244
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_012BA058 1_2_012BA058
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_012B28E0 1_2_012B28E0
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_0515F158 1_2_0515F158
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05157B60 1_2_05157B60
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_0515D768 1_2_0515D768
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05157290 1_2_05157290
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05156498 1_2_05156498
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05157AB2 1_2_05157AB2
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05B70679 1_2_05B70679
PE file contains strange resources
Source: lNCyFjhn7M.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamercGeguBNXNlIGogKUXwddetDKLGbJb.exe4 vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAsyncState.dllF vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000000.321220967.0000000000628000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.589458599.0000000000978000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamercGeguBNXNlIGogKUXwddetDKLGbJb.exe4 vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.590185619.0000000001280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe Binary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
Uses 32bit PE files
Source: lNCyFjhn7M.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: lNCyFjhn7M.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: lNCyFjhn7M.exe, Form1.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, Form1.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, Form1.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_0117AF3E AdjustTokenPrivileges, 1_2_0117AF3E
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_0117AF07 AdjustTokenPrivileges, 1_2_0117AF07
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lNCyFjhn7M.exe.log Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: lNCyFjhn7M.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp Binary or memory string: Select distinct emp_id as Employee_ID,names as Employee_Name,age as Age,gender as Gender,dob as Date_of_Birth,date as Date_of_Registration,title as Title,proffession as Proffession,contact as Contact,email as Email_Address,residence as Residence,mstatus as Martial_Status,username as User_Name,time as Time from employee order by dob;
Source: lNCyFjhn7M.exe Binary or memory string: SELECT `immun_id`, `at_birth`, `at_one_month`, `at_three_month`, `at_six_months`, `date`, `officer` FROM `baby_immunization`;
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp Binary or memory string: SELECT `childbirthid`, `nin`, `admissiondate`, `deiverydate`, `time_of_delivery`, `type_of_delivery`, `number_of_babies`, `delivery`, `healthofficer`, `compilication`, `vitimingiven`, `discahgredate`, `nextappointment` FROM `childbirth`;
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp Binary or memory string: SELECT `baby_id`, `name`, `time_of_birth`, `weight`, `body_parts_exam`, `gender1`, `skin_color`, `breast_feeding`, `cdofbaby_on_discharge2`, `name2`, `time_of_birth2`, `weight2`, `body_parts_exams2`, `gender2`, `skin_color2`, `breast_feeding2` FROM `baby`;
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: lNCyFjhn7M.exe, 00000001.00000002.591059491.0000000003012000.00000004.00000001.sdmp Binary or memory string: SELECT * FROM Win32_Processor(>;n
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp Binary or memory string: Select distinct mm_id as MORTALITY_ID, cases as CASES_NUMBER,cause_of_death as CAUSE_OF_DEATH,time_of_death as TIME_OF_DEATH,date_of_death as DEATH_DATE from mortality order by date_of_death;
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp Binary or memory string: Select distinct `nin_id`, `admission_date`, `delivery_time`, `delivery_type`, `numberof_babies`, `healthofficer`, `complication`, `vitim_given`, `dischagre_date`, `nextappointment`, `address` from `mother`;
Source: lNCyFjhn7M.exe Metadefender: Detection: 21%
Source: lNCyFjhn7M.exe ReversingLabs: Detection: 62%
Source: unknown Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe 'C:\Users\user\Desktop\lNCyFjhn7M.exe'
Source: unknown Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: lNCyFjhn7M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: lNCyFjhn7M.exe Static file information: File size 1058816 > 1048576
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: lNCyFjhn7M.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: lNCyFjhn7M.exe, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 0_2_00544C70 push 28060000h; retf 0000h 0_2_00544C76
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_00894C70 push 28060000h; retf 0000h 1_2_00894C76
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05A441D8 push cs; retf 1_2_05A441EF
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05A44164 push cs; retf 1_2_05A4417B
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_05A4424B push cs; retf 1_2_05A44263
Source: initial sample Static PE information: section name: .text entropy: 7.44014806301

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (50).png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.2c1f204.1.raw.unpack, type: UNPACKEDPE
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,memAlloc,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Window / User API: threadDelayed 693 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 7000 Thread sleep time: -102800s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 7024 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224 Thread sleep count: 693 > 30 Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224 Thread sleep time: -20790000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Last function: Thread delayed
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: vmware
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Code function: 1_2_012B24F8 LdrInitializeThunk, 1_2_012B24F8
Enables debug privileges
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Memory written: C:\Users\user\Desktop\lNCyFjhn7M.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe Jump to behavior
Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY
Source: Yara match File source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY
Source: Yara match File source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356766 Sample: lNCyFjhn7M Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 7 other signatures 2->28 6 lNCyFjhn7M.exe 3 2->6         started        process3 file4 14 C:\Users\user\AppData\...\lNCyFjhn7M.exe.log, ASCII 6->14 dropped 30 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->30 32 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->32 34 Injects a PE file into a foreign processes 6->34 36 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 6->36 10 lNCyFjhn7M.exe 4 6->10         started        signatures5 process6 dnsIp7 16 hybridgroupco.com 66.70.204.222, 49751, 587 OVHFR Canada 10->16 18 mail.hybridgroupco.com 10->18 20 192.168.2.1 unknown unknown 10->20 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->38 40 Tries to steal Mail credentials (via file access) 10->40 42 Tries to harvest and steal ftp login credentials 10->42 44 Tries to harvest and steal browser information (history, passwords, etc) 10->44 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.70.204.222
 unknown Canada
16276 OVHFR true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
hybridgroupco.com 66.70.204.222 true
mail.hybridgroupco.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://femFzmplqt.net true
  • Avira URL Cloud: safe
 unknown