Analysis Report malware.exe

ID:	358219
Product:	CloudBasic
Start time:	08:57:15
Start date:	25.02.2021
Sample:	malware.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2ee5a68ee37af14c612fc4c8a589858a
SHA1:	c27220c28c611908f7cf4e727619aef99decb00b
SHA256:	7e2a3464cd57a807ba4fa1bc0cc9b61fd7ace25fae45a7227bc2184587c9945b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\malware.exe.log	ASCII text, with CRLF line terminators	F15C9C88F7D7A8FD8C28FD33A19EEDC1	F703E7360D4958CE7BC5362E8AAC8EA150DACE7C	C32A5354F545CCE575E77A171272F0A9CBD6CD4501AAB657C893A663D3F0E00E

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: malware.exe

Avira: detected

Found malware configuration

Source: 0.2.malware.exe.4374cd0.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "info@nijos.esJose170458@smtp.ionos.es"}

Multi AV Scanner detection for submitted file

Source: malware.exe	Virustotal: Detection: 45%			Perma Link
Source: malware.exe	Metadefender: Detection: 24%			Perma Link
Source: malware.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: malware.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.malware.exe.930000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 3.2.malware.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: malware.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\malware.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: malware.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: mscorrc.pdb source: malware.exe, 00000000.00000002.203861566.00000000058D0000.00000002.00000001.sdmp, malware.exe, 00000003.00000002.461809030.00000000017D0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\malware.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_02C8CDD8
Source: C:\Users\user\Desktop\malware.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_02C8CDE8

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 213.165.67.118:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 213.165.67.118 213.165.67.118

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 213.165.67.118:587

Contains functionality to download additional files from the internet

Source: C:\Users\user\Desktop\malware.exe

Code function: 3_2_0174A09A recv,

3_2_0174A09A

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: smtp.ionos.es

Urls found in memory or binary data

Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: http://eYrjmd.com
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://status.geotrust.com0=
Source: malware.exe, 00000003.00000002.465505838.0000000003A2D000.00000004.00000001.sdmp	String found in binary or memory: https://QDDeRKxxql47yvGyut1.co
Source: malware.exe, 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp	String found in binary or memory: https://QDDeRKxxql47yvGyut1.com
Source: malware.exe, 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp	String found in binary or memory: https://QDDeRKxxql47yvGyut1.com4
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: malware.exe, 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, malware.exe, 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: malware.exe, 00000000.00000002.200312637.000000000101A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 3.2.malware.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3E7DD5E5u002d64B9u002d4B13u002dBB39u002d9D06C86D75B5u007d/C3653794u002dA817u002d4DEAu002d8ADFu002d8F127CE93D1E.cs

Large array initialization: .cctor: array initializer size 11921

PE file contains section with special chars

Source: malware.exe

Static PE information: section name: 7wjw!

PE file has nameless sections

Source: malware.exe

Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174B0BA NtQuerySystemInformation,		3_2_0174B0BA
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174B089 NtQuerySystemInformation,		3_2_0174B089

Detected potential crypto function

Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0093E489		0_2_0093E489
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0093C8B2		0_2_0093C8B2
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009405C2		0_2_009405C2
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00939F78		0_2_00939F78
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C8AEF0		0_2_02C8AEF0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C80B50		0_2_02C80B50
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C800A8		0_2_02C800A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C829D8		0_2_02C829D8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C83D30		0_2_02C83D30
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C8AEE0		0_2_02C8AEE0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C853E0		0_2_02C853E0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C853F0		0_2_02C853F0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C80B3F		0_2_02C80B3F
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C80099		0_2_02C80099
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C829C8		0_2_02C829C8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C851A8		0_2_02C851A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C851A3		0_2_02C851A3
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C83D20		0_2_02C83D20
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009338AA		0_2_009338AA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0093A98D		0_2_0093A98D
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F005C2		3_2_00F005C2
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_057397DC		3_2_057397DC
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0573AF98		3_2_0573AF98
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0573DE28		3_2_0573DE28
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05738488		3_2_05738488
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC98E0		3_2_05EC98E0
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC73C8		3_2_05EC73C8
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC26A8		3_2_05EC26A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC0070		3_2_05EC0070
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC8658		3_2_05EC8658
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC6818		3_2_05EC6818
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC25F8		3_2_05EC25F8

Sample file is different than original file name gathered from version info

Source: malware.exe	Binary or memory string: OriginalFilename vs malware.exe
Source: malware.exe, 00000000.00000002.205160417.000000000DE40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs malware.exe
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexUHzFnbHwIrwSOMYICulYEVtzBE.exe4 vs malware.exe
Source: malware.exe, 00000000.00000002.203861566.00000000058D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs malware.exe
Source: malware.exe, 00000000.00000002.204525683.0000000009B10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs malware.exe
Source: malware.exe, 00000000.00000002.200312637.000000000101A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs malware.exe
Source: malware.exe	Binary or memory string: OriginalFilename vs malware.exe
Source: malware.exe, 00000003.00000002.461809030.00000000017D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs malware.exe
Source: malware.exe, 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamexUHzFnbHwIrwSOMYICulYEVtzBE.exe4 vs malware.exe
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs malware.exe
Source: malware.exe, 00000003.00000002.461900198.0000000001880000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs malware.exe
Source: malware.exe	Binary or memory string: OriginalFilenameNonVersionableAttribute.exeF vs malware.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\malware.exe

Section loaded: security.dll

Jump to behavior

Uses 32bit PE files

Source: malware.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: malware.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Source: malware.exe

Static PE information: Section: 7wjw! ZLIB complexity 1.00046164773

.NET source code contains calls to encryption/decryption functions

Source: 3.2.malware.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.malware.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174AF3E AdjustTokenPrivileges,		3_2_0174AF3E
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174AF07 AdjustTokenPrivileges,		3_2_0174AF07

Creates files inside the user directory

Source: C:\Users\user\Desktop\malware.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\malware.exe.log

Jump to behavior

Creates mutexes

Source: C:\Users\user\Desktop\malware.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Reads software policies

Source: C:\Users\user\Desktop\malware.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\Desktop\malware.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Sample is known by Antivirus

Source: malware.exe	Virustotal: Detection: 45%
Source: malware.exe	Metadefender: Detection: 24%
Source: malware.exe	ReversingLabs: Detection: 68%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\malware.exe 'C:\Users\user\Desktop\malware.exe'
Source: unknown	Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe
Source: C:\Users\user\Desktop\malware.exe	Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\malware.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\malware.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Users\user\Desktop\malware.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

PE file contains a COM descriptor data directory

Source: malware.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\malware.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: malware.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: mscorrc.pdb source: malware.exe, 00000000.00000002.203861566.00000000058D0000.00000002.00000001.sdmp, malware.exe, 00000003.00000002.461809030.00000000017D0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\malware.exe

Unpacked PE file: 0.2.malware.exe.930000.0.unpack 7wjw!:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xDA072381 [Thu Nov 29 19:35:29 2085 UTC]

PE file contains sections with non-standard names

Source: malware.exe	Static PE information: section name: 7wjw!
Source: malware.exe	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944292 push cs; ret		0_2_0094429C
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0094429E push cs; ret		0_2_009442A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009442BC push cs; ret		0_2_009442F0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009442AA push cs; ret		0_2_009442BA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009442F2 push cs; ret		0_2_00944308
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944B9E push ds; ret		0_2_00944BA2
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00943D9A push es; ret		0_2_00943DBC
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944BBC push ds; ret		0_2_00944BC0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009441A2 push cs; ret		0_2_00944260
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009441A2 push cs; ret		0_2_0094426C
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944BAA push ds; ret		0_2_00944BBA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009447C0 push ss; ret		0_2_009447D6
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944B02 push ds; ret		0_2_00944BBA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0094472A push ss; ret		0_2_0094472E
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0094477E push ss; ret		0_2_009447BE
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944760 push ss; ret		0_2_00944770
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C890C8 pushad ; retf		0_2_02C890C9
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F042F2 push cs; ret		3_2_00F04308
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F042BC push cs; ret		3_2_00F042F0
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F042AA push cs; ret		3_2_00F042BA
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04292 push cs; ret		3_2_00F0429C
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F0429E push cs; ret		3_2_00F042A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F047C0 push ss; ret		3_2_00F047D6
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04BBC push ds; ret		3_2_00F04BC0
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F041A2 push cs; ret		3_2_00F04260
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F041A2 push cs; ret		3_2_00F0426C
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04BAA push ds; ret		3_2_00F04BBA
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F03D9A push es; ret		3_2_00F03DBC
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04B9E push ds; ret		3_2_00F04BA2
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F0477E push ss; ret		3_2_00F047BE
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04760 push ss; ret		3_2_00F04770

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: 7wjw! entropy: 7.99674140744
Source: initial sample	Static PE information: section name: .text entropy: 7.85224276661

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\malware.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6380, type: MEMORY

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Users\user\Desktop\malware.exe

Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,processQueried,processQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\malware.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\malware.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\malware.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\malware.exe

Window / User API: threadDelayed 672

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\malware.exe TID: 6384	Thread sleep time: -103256s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep count: 672 > 30			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -20160000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\malware.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\malware.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: malware.exe, 00000000.00000002.205104429.000000000DDE0000.00000004.00000001.sdmp	Binary or memory string: AQEMuK
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: malware.exe, 00000003.00000002.461473019.00000000015C9000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\malware.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\malware.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\malware.exe

Code function: 3_2_057330C8 LdrInitializeThunk,

3_2_057330C8

Enables debug privileges

Source: C:\Users\user\Desktop\malware.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\malware.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\malware.exe

Memory written: C:\Users\user\Desktop\malware.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\malware.exe

Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Contains functionality to query the account / user name

Source: C:\Users\user\Desktop\malware.exe

Code function: 3_2_0174BB16 GetUserNameW,

3_2_0174BB16

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\malware.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6380, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6536, type: MEMORY
Source: Yara match	File source: 3.2.malware.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.421ba00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4277620.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\malware.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6536, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6380, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6536, type: MEMORY
Source: Yara match	File source: 3.2.malware.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.421ba00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4277620.4.raw.unpack, type: UNPACKEDPE