Play interactive tour

Edit tour

Analysis Report Swift doc. ZD.1.19022021_PDF.exe

Overview

General Information

Sample Name:	Swift doc. ZD.1.19022021_PDF.exe
Analysis ID:	358328
MD5:	5679c66fd0ebcd6b8702c5c9e8f1ecb6
SHA1:	dbba96ad2d1c3811812eadd985401822f9ef54b9
SHA256:	949138db57c941e64a0a14bc7e87f68576dadf09f8ac56faa6776476161fb0b8
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Swift doc. ZD.1.19022021_PDF.exe (PID: 7020 cmdline: 'C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe' MD5: 5679C66FD0EBCD6B8702C5C9E8F1ECB6)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "SYgLhOXLAKJaD", "URL: ": "https://T4gAxtuj18rwIFW1VRIf.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "EbOiB", "From: ": "fikriye@turuncoglu.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.923663679.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Swift doc. ZD.1.19022021_PDF.exe PID: 7020	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Swift doc. ZD.1.19022021_PDF.exe PID: 7020	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Swift doc. ZD.1.19022021_PDF.exe PID: 7020	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.Swift doc. ZD.1.19022021_PDF.exe.63e0000.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Swift doc. ZD.1.19022021_PDF.exe.44f98c0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Swift doc. ZD.1.19022021_PDF.exe.44f98c0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Swift doc. ZD.1.19022021_PDF.exe.63e0000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Swift doc. ZD.1.19022021_PDF.exe.3270530.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.Swift doc. ZD.1.19022021_PDF.exe.3270530.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Swift doc. ZD.1.19022021_PDF.exe.7020.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "SYgLhOXLAKJaD", "URL: ": "https://T4gAxtuj18rwIFW1VRIf.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "EbOiB", "From: ": "fikriye@turuncoglu.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: Swift doc. ZD.1.19022021_PDF.exe

ReversingLabs: Detection: 10%

Machine Learning detection for sample

Show sources

Source: Swift doc. ZD.1.19022021_PDF.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: Swift doc. ZD.1.19022021_PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Swift doc. ZD.1.19022021_PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://T4gAxtuj18rwIFW1VRIf.com

Source: global traffic

TCP traffic: 192.168.2.4:49765 -> 77.88.21.158:587

Source: Joe Sandbox View

IP Address: 77.88.21.158 77.88.21.158

Source: global traffic

TCP traffic: 192.168.2.4:49765 -> 77.88.21.158:587

Source: unknown

DNS traffic detected: queries for: smtp.yandex.com

Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://NfuOAc.com
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.919606289.0000000003566000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.yandex.com
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.ocsp-responder.com03
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.919506938.000000000351D000.00000004.00000001.sdmp	String found in binary or memory: https://T4gAxtuj18rwIFW1VRIf.com
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large strings

Show sources

Source: Swift doc. ZD.1.19022021_PDF.exe, frmSplashScreen.cs

Long String: Length: 13656

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Swift doc. ZD.1.19022021_PDF.exe

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01769608	1_2_01769608
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0176C2A8	1_2_0176C2A8
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0176AB34	1_2_0176AB34
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01838190	1_2_01838190
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183A1F8	1_2_0183A1F8
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_018344C0	1_2_018344C0
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183C9F0	1_2_0183C9F0
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183D9F8	1_2_0183D9F8
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01835900	1_2_01835900
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01831EF0	1_2_01831EF0
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183AE20	1_2_0183AE20
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183A199	1_2_0183A199
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01837010	1_2_01837010
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183C9EA	1_2_0183C9EA
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01864880	1_2_01864880
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01868312	1_2_01868312
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01862530	1_2_01862530
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_01867CC0	1_2_01867CC0

Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000000.647670906.0000000000EBA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRSAPKCS1SignatureDescription.exe< vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.923788189.0000000006940000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916315212.0000000001840000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.921926825.0000000004241000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJjuAGuEggFLyNdgxhZLJIKFOcxph.exe4 vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000003.843393717.00000000015C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameclr.dl<fQ vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916284500.0000000001820000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs Swift doc. ZD.1.19022021_PDF.exe
Source: Swift doc. ZD.1.19022021_PDF.exe	Binary or memory string: OriginalFilenameRSAPKCS1SignatureDescription.exe< vs Swift doc. ZD.1.19022021_PDF.exe

Source: Swift doc. ZD.1.19022021_PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Swift doc. ZD.1.19022021_PDF.exe, frmSplashScreen.cs

Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Mutant created: \Sessions\1\BaseNamedObjects\ePyGDQmBPgOdlidu

Source: Swift doc. ZD.1.19022021_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Swift doc. ZD.1.19022021_PDF.exe

ReversingLabs: Detection: 10%

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Swift doc. ZD.1.19022021_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Swift doc. ZD.1.19022021_PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183C140 push esp; ret		1_2_0183C141
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Code function: 1_2_0183D578 pushfd ; iretd		1_2_0183D585

Source: initial sample

Static PE information: section name: .text entropy: 7.03776347249

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift doc. ZD.1.19022021_PDF.exe PID: 7020, type: MEMORY
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.3270530.2.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Window / User API: threadDelayed 735			Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Window / User API: threadDelayed 9117			Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe TID: 7024	Thread sleep time: -99106s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe TID: 4780	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe TID: 4484	Thread sleep count: 735 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe TID: 4484	Thread sleep count: 9117 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.923788189.0000000006940000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.923788189.0000000006940000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.923788189.0000000006940000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.923788189.0000000006940000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Code function: 1_2_01835900 LdrInitializeThunk,

1_2_01835900

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916402707.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916402707.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916402707.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916402707.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.923663679.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift doc. ZD.1.19022021_PDF.exe PID: 7020, type: MEMORY
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.63e0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.44f98c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.44f98c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.63e0000.9.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift doc. ZD.1.19022021_PDF.exe PID: 7020, type: MEMORY
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.3270530.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.923663679.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift doc. ZD.1.19022021_PDF.exe PID: 7020, type: MEMORY
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.63e0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.44f98c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.44f98c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Swift doc. ZD.1.19022021_PDF.exe.63e0000.9.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection1	Virtualization/Sandbox Evasion13	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Credentials in Registry1	Security Software Discovery211	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Virtualization/Sandbox Evasion13	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information21	NTDS	Process Discovery2	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Swift doc. ZD.1.19022021_PDF.exe	11%	ReversingLabs	Win32.Trojan.Wacatac
Swift doc. ZD.1.19022021_PDF.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://T4gAxtuj18rwIFW1VRIf.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://NfuOAc.com	0%	Avira URL Cloud	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.yandex.ru	77.88.21.158	true	false		high
smtp.yandex.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://T4gAxtuj18rwIFW1VRIf.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://subca.ocsp-certum.com0.	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.certum.pl/ca.cer09	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.certum.pl/ctnca.cer09	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
http://crls.yandex.net/certum/ycasha2.crl0-	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
http://subca.ocsp-certum.com01	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://yandex.crl.certum.pl/ycasha2.crl0q	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
http://crl.certum.pl/ca.crl0h	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
https://www.certum.pl/CPS0	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certum.pl/CPS0	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	false		high
http://smtp.yandex.com	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.919606289.0000000003566000.00000004.00000001.sdmp	false		high
http://NfuOAc.com	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://yandex.ocsp-responder.com03	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.certum.pl/ycasha2.cer0	Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.88.21.158	unknown	Russian Federation		13238	YANDEXRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358328
Start date:	25.02.2021
Start time:	12:19:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Swift doc. ZD.1.19022021_PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 84% Quality standard deviation: 5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 31 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 13.88.21.125, 23.211.6.115, 168.61.161.212, 104.42.151.234, 52.147.198.201, 51.104.139.180, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 51.132.208.181, 92.122.213.194, 92.122.213.247, 51.11.168.160 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:20:43	API Interceptor	845x Sleep call for process: Swift doc. ZD.1.19022021_PDF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
77.88.21.158	inmyB8Hxr9.exe	Get hash	malicious	Browse
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse
	KBU0o30E6s.exe	Get hash	malicious	Browse
	FspMzSMtYA.exe	Get hash	malicious	Browse
	w0dAcJpIm1.exe	Get hash	malicious	Browse
	VfUlDo471c.exe	Get hash	malicious	Browse
	FEB PROCESSED.xlsx	Get hash	malicious	Browse
	q13a8EbUPB.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.73120.3552.exe	Get hash	malicious	Browse
	PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe	Get hash	malicious	Browse
	pass.exe	Get hash	malicious	Browse
	nXKdiUgIYy.exe	Get hash	malicious	Browse
	x4cXV3784J.exe	Get hash	malicious	Browse
	Request For Quotation #D22022021_pdf.exe	Get hash	malicious	Browse
	RFQ_PDRVK2200248_00667_PDF.exe	Get hash	malicious	Browse
	emI0MqOvFw.exe	Get hash	malicious	Browse
	ZnsXrCAriL.exe	Get hash	malicious	Browse
	zyp9gbDQHw.exe	Get hash	malicious	Browse
	DHL Shipment Notification.PDF.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.yandex.ru	inmyB8Hxr9.exe	Get hash	malicious	Browse	77.88.21.158
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse	77.88.21.158
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse	77.88.21.158
	KBU0o30E6s.exe	Get hash	malicious	Browse	77.88.21.158
	FspMzSMtYA.exe	Get hash	malicious	Browse	77.88.21.158
	w0dAcJpIm1.exe	Get hash	malicious	Browse	77.88.21.158
	VfUlDo471c.exe	Get hash	malicious	Browse	77.88.21.158
	FEB PROCESSED.xlsx	Get hash	malicious	Browse	77.88.21.158
	q13a8EbUPB.exe	Get hash	malicious	Browse	77.88.21.158
	SecuriteInfo.com.Trojan.GenericKDZ.73120.3552.exe	Get hash	malicious	Browse	77.88.21.158
	PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe	Get hash	malicious	Browse	77.88.21.158
	pass.exe	Get hash	malicious	Browse	77.88.21.158
	nXKdiUgIYy.exe	Get hash	malicious	Browse	77.88.21.158
	x4cXV3784J.exe	Get hash	malicious	Browse	77.88.21.158
	Request For Quotation #D22022021_pdf.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ_PDRVK2200248_00667_PDF.exe	Get hash	malicious	Browse	77.88.21.158
	emI0MqOvFw.exe	Get hash	malicious	Browse	77.88.21.158
	ZnsXrCAriL.exe	Get hash	malicious	Browse	77.88.21.158
	zyp9gbDQHw.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Shipment Notification.PDF.exe	Get hash	malicious	Browse	77.88.21.158

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YANDEXRU	inmyB8Hxr9.exe	Get hash	malicious	Browse	77.88.21.158
	rtofwqxq.exe	Get hash	malicious	Browse	87.250.250.22
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse	77.88.21.158
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse	77.88.21.158
	KBU0o30E6s.exe	Get hash	malicious	Browse	77.88.21.158
	FspMzSMtYA.exe	Get hash	malicious	Browse	77.88.21.158
	Wd8LBdddKD.exe	Get hash	malicious	Browse	37.9.96.19
	Wd8LBdddKD.exe	Get hash	malicious	Browse	37.9.96.14
	w0dAcJpIm1.exe	Get hash	malicious	Browse	77.88.21.158
	VfUlDo471c.exe	Get hash	malicious	Browse	77.88.21.158
	FEB PROCESSED.xlsx	Get hash	malicious	Browse	77.88.21.158
	q13a8EbUPB.exe	Get hash	malicious	Browse	77.88.21.158
	SecuriteInfo.com.Trojan.GenericKDZ.73120.3552.exe	Get hash	malicious	Browse	77.88.21.158
	PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe	Get hash	malicious	Browse	77.88.21.158
	pass.exe	Get hash	malicious	Browse	77.88.21.158
	nXKdiUgIYy.exe	Get hash	malicious	Browse	77.88.21.158
	x4cXV3784J.exe	Get hash	malicious	Browse	77.88.21.158
	Request For Quotation #D22022021_pdf.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ_PDRVK2200248_00667_PDF.exe	Get hash	malicious	Browse	77.88.21.158
	emI0MqOvFw.exe	Get hash	malicious	Browse	77.88.21.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.023314877630659
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Swift doc. ZD.1.19022021_PDF.exe
File size:	770048
MD5:	5679c66fd0ebcd6b8702c5c9e8f1ecb6
SHA1:	dbba96ad2d1c3811812eadd985401822f9ef54b9
SHA256:	949138db57c941e64a0a14bc7e87f68576dadf09f8ac56faa6776476161fb0b8
SHA512:	90c5e00b545dc5f8d54c9580643a9ebe3ba0a40131eb6a98d3501058dd9879ae2041c42bbdc89ba7ddf2936a35902c8d4c83d84d0fda0d3124e1a358e573faa7
SSDEEP:	12288:T9v6xdnFRrwvjnjBCTo+DH2JgapeB1wMrEssALmx1:Tt6x1r4nVYTDHYMB1wOsALE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wj7`..............P..h...V........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	e0dad4adc4d2d870

Static PE Info

General
Entrypoint:	0x4b86da
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60376A77 [Thu Feb 25 09:14:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8688	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x5208	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb66e0	0xb6800	False	0.598153895548	data	7.03776347249	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x5208	0x5400	False	0.185360863095	data	4.1978823981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xba100	0x4228	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0xbe338	0x14	data
RT_VERSION	0xbe35c	0x380	data
RT_MANIFEST	0xbe6ec	0xb15	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2014
Assembly Version	3.0.0.0
InternalName	RSAPKCS1SignatureDescription.exe
FileVersion	3.0.0.0
CompanyName	KTV
LegalTrademarks
Comments
ProductName	KTVManagement
ProductVersion	3.0.0.0
FileDescription	KTVManagement
OriginalFilename	RSAPKCS1SignatureDescription.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 12:22:16.032483101 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.111545086 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.111645937 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.330151081 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.330543995 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.411638021 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.411660910 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.412049055 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.491178989 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.536336899 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.618381977 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.618442059 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.618484020 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.618515968 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.618598938 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.618653059 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.664922953 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.746551037 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.796453953 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.810801983 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.889812946 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.891663074 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:16.972093105 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:16.973011971 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.063858032 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:17.065093040 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.151715994 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:17.152304888 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.239497900 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:17.239990950 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.321471930 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:17.323180914 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.323326111 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.323971033 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.324101925 CET	49765	587	192.168.2.4	77.88.21.158
Feb 25, 2021 12:22:17.403855085 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:17.404289007 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:18.069082975 CET	587	49765	77.88.21.158	192.168.2.4
Feb 25, 2021 12:22:18.109025955 CET	49765	587	192.168.2.4	77.88.21.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 12:20:35.466200113 CET	54531	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:35.519671917 CET	53	54531	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:36.660303116 CET	49714	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:36.709070921 CET	53	49714	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:36.863770962 CET	58028	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:36.924093962 CET	53	58028	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:38.031158924 CET	53097	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:38.080015898 CET	53	53097	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:39.030683041 CET	49257	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:39.079600096 CET	53	49257	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:40.288960934 CET	62389	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:40.349018097 CET	53	62389	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:41.962757111 CET	49910	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:42.015674114 CET	53	49910	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:43.185733080 CET	55854	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:43.238775969 CET	53	55854	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:45.527916908 CET	64549	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:45.578366041 CET	53	64549	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:47.279995918 CET	63153	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:47.331563950 CET	53	63153	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:48.540069103 CET	52991	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:48.589719057 CET	53	52991	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:49.871844053 CET	53700	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:49.934281111 CET	53	53700	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:51.045453072 CET	51726	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:51.094162941 CET	53	51726	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:51.841162920 CET	56794	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:51.890017033 CET	53	56794	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:53.079277039 CET	56534	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:53.129333019 CET	53	56534	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:54.201761961 CET	56627	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:54.260245085 CET	53	56627	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:55.025892019 CET	56621	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:55.086498976 CET	53	56621	8.8.8.8	192.168.2.4
Feb 25, 2021 12:20:56.517249107 CET	63116	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:20:56.568813086 CET	53	63116	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:00.983846903 CET	64078	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:01.036426067 CET	53	64078	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:08.085619926 CET	64801	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:08.138427973 CET	53	64801	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:24.894157887 CET	61721	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:24.956551075 CET	53	61721	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:25.540385962 CET	51255	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:25.600578070 CET	53	51255	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:26.285353899 CET	61522	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:26.296955109 CET	52337	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:26.347690105 CET	53	52337	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:26.349694967 CET	53	61522	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:26.801425934 CET	55046	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:26.858725071 CET	53	55046	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:27.302660942 CET	49612	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:27.377688885 CET	53	49612	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:28.015033960 CET	49285	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:28.072329044 CET	53	49285	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:28.658046007 CET	50601	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:28.717907906 CET	53	50601	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:29.442985058 CET	60875	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:29.500087023 CET	53	60875	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:30.367633104 CET	56448	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:30.416379929 CET	53	56448	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:30.707478046 CET	59172	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:30.775352001 CET	53	59172	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:30.905088902 CET	62420	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:30.965547085 CET	53	62420	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:43.019121885 CET	60579	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:43.038861990 CET	50183	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:43.068176985 CET	53	60579	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:43.110400915 CET	53	50183	8.8.8.8	192.168.2.4
Feb 25, 2021 12:21:50.055668116 CET	61531	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:21:50.117507935 CET	53	61531	8.8.8.8	192.168.2.4
Feb 25, 2021 12:22:15.870568991 CET	49228	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:22:15.928117037 CET	53	49228	8.8.8.8	192.168.2.4
Feb 25, 2021 12:22:15.954482079 CET	59794	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:22:16.011673927 CET	53	59794	8.8.8.8	192.168.2.4
Feb 25, 2021 12:22:16.998469114 CET	55916	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:22:17.047694921 CET	53	55916	8.8.8.8	192.168.2.4
Feb 25, 2021 12:22:19.553073883 CET	52752	53	192.168.2.4	8.8.8.8
Feb 25, 2021 12:22:19.628139019 CET	53	52752	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 12:22:15.870568991 CET	192.168.2.4	8.8.8.8	0x1e09	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)
Feb 25, 2021 12:22:15.954482079 CET	192.168.2.4	8.8.8.8	0xc40	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 12:22:15.928117037 CET	8.8.8.8	192.168.2.4	0x1e09	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 12:22:15.928117037 CET	8.8.8.8	192.168.2.4	0x1e09	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)
Feb 25, 2021 12:22:16.011673927 CET	8.8.8.8	192.168.2.4	0xc40	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 12:22:16.011673927 CET	8.8.8.8	192.168.2.4	0xc40	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 25, 2021 12:22:16.330151081 CET	587	49765	77.88.21.158	192.168.2.4	220 vla3-23c3b031fed5.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
Feb 25, 2021 12:22:16.330543995 CET	49765	587	192.168.2.4	77.88.21.158	EHLO 305090
Feb 25, 2021 12:22:16.411660910 CET	587	49765	77.88.21.158	192.168.2.4	250-vla3-23c3b031fed5.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 42991616 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Feb 25, 2021 12:22:16.412049055 CET	49765	587	192.168.2.4	77.88.21.158	STARTTLS
Feb 25, 2021 12:22:16.491178989 CET	587	49765	77.88.21.158	192.168.2.4	220 Go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Swift doc. ZD.1.19022021_PDF.exe PID: 7020 Parent PID: 5968

General

Start time:	12:20:42
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe'
Imagebase:	0xe00000
File size:	770048 bytes
MD5 hash:	5679C66FD0EBCD6B8702C5C9E8F1ECB6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.923663679.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Swift doc. ZD.1.19022021_PDF.exe PID: 7020 Parent PID: 5968 Swift doc. ZD.1.19022021_PDF.exeCOMMON

Executed Functions

Function 01862530, Relevance: 4.4, Strings: 2, Instructions: 1873COMMON

Download Yara Rule

Strings

D0*l, xrefs: 0186372A
\%l, xrefs: 01862A1B

Memory Dump Source

Source File: 00000001.00000002.916322621.0000000001860000.00000040.00000001.sdmp, Offset: 01860000, based on PE: false

Similarity

API ID:
String ID: D0*l$\%l
API String ID: 0-992259942
Opcode ID: 2d45d0bab3901a81fbc38bdc88fd7172cb41125ed0f45c0e86bdaba4fba458c3
Instruction ID: cdc6229dd6fc0ad3c5eb76556d4fdfb5b31115f9eefca9737cede20ffd2f1230
Opcode Fuzzy Hash: 2d45d0bab3901a81fbc38bdc88fd7172cb41125ed0f45c0e86bdaba4fba458c3
Instruction Fuzzy Hash: FDE23671A453958FDB57CB78888076EBBB6EF82318F6480EED046CF252D7368916C781

Uniqueness

Uniqueness Score: -1.00%

Function 01868312, Relevance: 3.2, Instructions: 3199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916322621.0000000001860000.00000040.00000001.sdmp, Offset: 01860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c3aab5ac3a1b4595f032a3c0b01d5cab5f878065b9ead291b7f0b4af08d433
Instruction ID: f9b06f8f8c5734264f3bdc1c8f2c2579e8c0e02b76ebf88703a6bc27834ca62e
Opcode Fuzzy Hash: 20c3aab5ac3a1b4595f032a3c0b01d5cab5f878065b9ead291b7f0b4af08d433
Instruction Fuzzy Hash: 97632D30D107198ECB15EF68C8846A9F7B5FF95304F15C69AE459BB221EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01867CC0, Relevance: 2.9, Instructions: 2858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916322621.0000000001860000.00000040.00000001.sdmp, Offset: 01860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e0cda695f2e772e57a1268ba87e429ab3984ce7fa054aa8d408a2a1935120b
Instruction ID: c24a66ca02a43efb03cd820aaa330a672981dc665f8acbb001047481b8838187
Opcode Fuzzy Hash: f3e0cda695f2e772e57a1268ba87e429ab3984ce7fa054aa8d408a2a1935120b
Instruction Fuzzy Hash: 9E530B30D10B198ECB15EF68C884699F7B5FF99304F55C69AE458B7221EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01835900, Relevance: 2.8, APIs: 1, Instructions: 1261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ed60485717bcd33eaa2c742856e56df3bf8fc4b29536961707eb233a8b0971
Instruction ID: 59b05200a58b2fb7cadd324716d034803b988b1eb8f3dbcfe43bf096edcd0d24
Opcode Fuzzy Hash: 43ed60485717bcd33eaa2c742856e56df3bf8fc4b29536961707eb233a8b0971
Instruction Fuzzy Hash: CDB26B70A003199FDB14EB78C8547AEB7F2AF89304F1585A9D50AEB750EF309E85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0183C9F0, Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

8^*l, xrefs: 0183CC4E

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID: 8^*l
API String ID: 0-1503063475
Opcode ID: f2648fcab16f53ff4ed30fd80293aa3285ed8b627d50443182fea20236ecb467
Instruction ID: 2205a57ad7388a43a77d10fc6e867dbdec3101f5418302bce9ad68377eeafbb9
Opcode Fuzzy Hash: f2648fcab16f53ff4ed30fd80293aa3285ed8b627d50443182fea20236ecb467
Instruction Fuzzy Hash: 8432C670A002488FEF24DBB8C45476EBBA2AF85314F18C16AD509EF386DB75DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0183C9EA, Relevance: 1.8, Strings: 1, Instructions: 588COMMON

Download Yara Rule

Strings

8^*l, xrefs: 0183CC4E

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID: 8^*l
API String ID: 0-1503063475
Opcode ID: bfb6d36f275b96778b19bdbe1f9946aca8c6bfb4d479b60cb0f4a1e211415f9f
Instruction ID: d0120f699203445f22842d9929cc5c10a6477c9e3003a3bb041fb4a9cbd07910
Opcode Fuzzy Hash: bfb6d36f275b96778b19bdbe1f9946aca8c6bfb4d479b60cb0f4a1e211415f9f
Instruction Fuzzy Hash: 1A328570A002088FDF24DBB8C4547AEBBA2AF85314F58C16AD509EF385DB75DE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0183A1F8, Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b965b3215bb87c189c421f85195bdd34c60a73b5a0f983d4d6146b7852eef5
Instruction ID: 0f5901560d3ea975def31ec39a8f96393477fd6f8bcdd58d54b21e7195e65c7e
Opcode Fuzzy Hash: 93b965b3215bb87c189c421f85195bdd34c60a73b5a0f983d4d6146b7852eef5
Instruction Fuzzy Hash: CA624B74A002148FCB14EB78D8587AEBBB3AF88350F1585A9D90ADB754DF34AD428F91

Uniqueness

Uniqueness Score: -1.00%

Function 01864880, Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916322621.0000000001860000.00000040.00000001.sdmp, Offset: 01860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da626ecd1d332d571351e2c8446aef285c10f04d5e1b3d531d995e7b4698709
Instruction ID: 2117fa16bc96904dcc0dcb3701d5fb42476347251c770e2b0cf044d79176cd09
Opcode Fuzzy Hash: 8da626ecd1d332d571351e2c8446aef285c10f04d5e1b3d531d995e7b4698709
Instruction Fuzzy Hash: 12422330B002048FDB05EBB8D8946AEBBB6EF85314F24847AD946DB396DB35DD05C791

Uniqueness

Uniqueness Score: -1.00%

Function 0183A199, Relevance: .8, Instructions: 769COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0341850787276f76c93556a1c713a1d70f66d0df232e57c81c4bcc4ea6640db6
Instruction ID: 5181b08be7301d7c9a191b5ffa99da1ad3042d26bed614c863e73f54fed92fe3
Opcode Fuzzy Hash: 0341850787276f76c93556a1c713a1d70f66d0df232e57c81c4bcc4ea6640db6
Instruction Fuzzy Hash: 9B623C74A002148FCB54EB78D8987AEB7B3BF88350F1485A9D90ADB754DF34AD428F50

Uniqueness

Uniqueness Score: -1.00%

Function 01838190, Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded8de1626e4438fd6c219aaec16980c79e43c59fe4ac4f6787b44b64e937e17
Instruction ID: 1943591c7fafdf643b46e5381f2853df42ad6b30212ea9eafa1d1615ae60b566
Opcode Fuzzy Hash: ded8de1626e4438fd6c219aaec16980c79e43c59fe4ac4f6787b44b64e937e17
Instruction Fuzzy Hash: 86326A34B003098FDB15EBB4C4546AEB7E2AFC5348F148A69E906DB394EF34DD468B91

Uniqueness

Uniqueness Score: -1.00%

Function 01769608, Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b995c2f4b3d7448340b95d5d3c4543a3eb5e65faea734ce6ccf626ee802277
Instruction ID: 253c972497df592d8d8ddba14ea9bbd9aa20cb41e3a14233aa4f8576abda8ef7
Opcode Fuzzy Hash: 63b995c2f4b3d7448340b95d5d3c4543a3eb5e65faea734ce6ccf626ee802277
Instruction Fuzzy Hash: 50527F31A0061ACFDB15CF68C884AAEF7BAFF45308F1584A9DA19AB251D770FD45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0183AE20, Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56733f0b2cced21366b34c385c4bd609f2b537c2bd6d04ce6dadf59e142446c2
Instruction ID: 1e8b456d530402b7b4ba698b1c83601804a6337bf7052617cb4f19627bb0d0ad
Opcode Fuzzy Hash: 56733f0b2cced21366b34c385c4bd609f2b537c2bd6d04ce6dadf59e142446c2
Instruction Fuzzy Hash: CB22A23470E3859FE34697799C186667BE59BC2304F1980F7D158CF6A3EA38DD0A8362

Uniqueness

Uniqueness Score: -1.00%

Function 01831EF0, Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c848735d2101d16356034b3c5490c03c3580693493dfa004e0621175b55dbade
Instruction ID: 9e6669ecdf95bb7274eddd4029db1f485f97cbdc2d72b87c31fdd4d0e2be1ace
Opcode Fuzzy Hash: c848735d2101d16356034b3c5490c03c3580693493dfa004e0621175b55dbade
Instruction Fuzzy Hash: 0522AC30B002158FDB14DBB8D8887ADBBB3AFC5314F288569D519EB391DB31ED468B91

Uniqueness

Uniqueness Score: -1.00%

Function 018344C0, Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f2379eadb0ac43b3b899151de2d082d09ad420a402a5b878f2bd53a69c6c36
Instruction ID: fc61307f391afac153218cbd5e984bf40b27376d5f578b73b3ee5b273b388d7d
Opcode Fuzzy Hash: d2f2379eadb0ac43b3b899151de2d082d09ad420a402a5b878f2bd53a69c6c36
Instruction Fuzzy Hash: A2D1DFB0B002185BEB68EB79C85476FBAE3AFC5354F188428D906EF790DF759D028791

Uniqueness

Uniqueness Score: -1.00%

Function 0183D9F8, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3128d738f420ea7a7c26df4752c9b1ef078d86a9492157357379c94920cb963
Instruction ID: 241a5b50c163d9a693b63be6b170bf6c044716ce69362d7cdb288cefb77bf58a
Opcode Fuzzy Hash: a3128d738f420ea7a7c26df4752c9b1ef078d86a9492157357379c94920cb963
Instruction Fuzzy Hash: 26A18D71A042499FDF15CFA8C844ADEBFB2BF89304F488256E905EB361D770AA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01766BA0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01766C10
GetCurrentThread.KERNEL32 ref: 01766C4D
GetCurrentProcess.KERNEL32 ref: 01766C8A
GetCurrentThreadId.KERNEL32 ref: 01766CE3

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0035c73ddaaccc997e8f80a03854586157fbf28dda6e789d9537ef901fe0e50e
Instruction ID: fb7181c4e0628e75bc9413eae8f58fe8a01ae611b5e38f93bb3315f74d6bce2d
Opcode Fuzzy Hash: 0035c73ddaaccc997e8f80a03854586157fbf28dda6e789d9537ef901fe0e50e
Instruction Fuzzy Hash: 2B5154B49046498FDB14CFA9D588B9EFBF0FF88314F24846DE419A7390D734A944CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01766BB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01766C10
GetCurrentThread.KERNEL32 ref: 01766C4D
GetCurrentProcess.KERNEL32 ref: 01766C8A
GetCurrentThreadId.KERNEL32 ref: 01766CE3

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 69db8429afbcd9b56cb119ee26eef319c296efc701b70735ba337e644a537c9b
Instruction ID: 5f9e2895cb42b613ffacaa48d8e4dc8d26389f91a472cf8382b72f532b41f366
Opcode Fuzzy Hash: 69db8429afbcd9b56cb119ee26eef319c296efc701b70735ba337e644a537c9b
Instruction Fuzzy Hash: A25144B49046098FDB24CFAAD588B9EFBF4FF88314F20846DE519A7350D734A944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0176BBB0, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e07af2948cf3a075eaca03527e6efc36a4f924b3d4da6ad52e9251d00b11b3a
Instruction ID: 969b14827551eadd101159a190d41ec41f3a7e2705898a3d67671cca592619ad
Opcode Fuzzy Hash: 6e07af2948cf3a075eaca03527e6efc36a4f924b3d4da6ad52e9251d00b11b3a
Instruction Fuzzy Hash: F88143B0A00B058FD724CF6AC44475ABBF5FF89204F00892DD98ADBA44DB75E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0186EDF8, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0186EE39

Memory Dump Source

Source File: 00000001.00000002.916322621.0000000001860000.00000040.00000001.sdmp, Offset: 01860000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00afbcdb6c7e3f4e783dc31493822a628df967f26dcfbf0363fe741d3453e104
Instruction ID: 3a9d08eb14a8a75ff8694b7a6cfc3cd514694cffb0f6bb644c0ee00d6d64859c
Opcode Fuzzy Hash: 00afbcdb6c7e3f4e783dc31493822a628df967f26dcfbf0363fe741d3453e104
Instruction Fuzzy Hash: 21617F34A00209DBDB14EFB9D458BAEBBF6AF84348F108828D506EB394DF349945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01838C18, Relevance: 1.7, APIs: 1, Instructions: 168libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01838CD8

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a94f2c1fd09fabad43964678490c0900b478cfe44019ae4ea8db33a15f92ead2
Instruction ID: 427369a2dd9b1d7cfa43f1e5e190d0f0d583cbafe064d92b3657073ab1fbc009
Opcode Fuzzy Hash: a94f2c1fd09fabad43964678490c0900b478cfe44019ae4ea8db33a15f92ead2
Instruction Fuzzy Hash: 3551A070A002099FDB44EBB4D848AEEBBB6AF85304F14856AE516DB351DB34DD04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01838C78, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01838CD8

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38372030d8afc1b67a181a114b27a4378d66626ef193a89819486ba2640dffc0
Instruction ID: 1fad05be464f814624f94175355417ab2f779bbec38ddc59e1f66f2de5ff5cd7
Opcode Fuzzy Hash: 38372030d8afc1b67a181a114b27a4378d66626ef193a89819486ba2640dffc0
Instruction Fuzzy Hash: 80516271A002099FCB44EBB4D848AEEB7A6FF89314F148A69E512DB351DF34DD04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176DC6D, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0176DD8A

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: efa9a9146574afb42e3ba0c7de84375042da1f65955753f9936df99494133341
Instruction ID: 718b5a773c03bc82d98b26b69cdf041b9ec98e0846357fa8a58d926ed658744f
Opcode Fuzzy Hash: efa9a9146574afb42e3ba0c7de84375042da1f65955753f9936df99494133341
Instruction Fuzzy Hash: E151BFB1D102089FDB15CFA9C984ADEFBB5BF58314F24812AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0176DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0176DD8A

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8b7e99fc20203ba0672b99bb23052eb71095541a6a6eb46e450eede6ce085070
Instruction ID: a22b6196f5995fa15b7033c8fda79407389b2d3330c8524dfc340bc2e287dcb9
Opcode Fuzzy Hash: 8b7e99fc20203ba0672b99bb23052eb71095541a6a6eb46e450eede6ce085070
Instruction Fuzzy Hash: F5419FB1D103099FDB14DFDAC884ADEFBB5BF98314F24812AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01766D61, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01766E5F

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d9d06257c647c5f08cbca9eaaa2e55ca08d10d2149c19cdf325c62f8555cf8c3
Instruction ID: 275a928ac3c85018b743e4b7d5746160aa990dbbaba3ad69b224aa367e1a3b2f
Opcode Fuzzy Hash: d9d06257c647c5f08cbca9eaaa2e55ca08d10d2149c19cdf325c62f8555cf8c3
Instruction Fuzzy Hash: 88415BB6900248AFCB01CFA9D844ADEBFF5FF99314F14805AE914A7361C3359915DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0186FAE8, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0186FBA1

Memory Dump Source

Source File: 00000001.00000002.916322621.0000000001860000.00000040.00000001.sdmp, Offset: 01860000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5d82f298cf1f047e097142fe0702ec316ab5f70e8553f34ea7c22b31824401b2
Instruction ID: d26f494b565e17de2bef19ff6c4912542aebbebc4a59b1b12a62aed8e4e42bd6
Opcode Fuzzy Hash: 5d82f298cf1f047e097142fe0702ec316ab5f70e8553f34ea7c22b31824401b2
Instruction Fuzzy Hash: B931DFB1D002589FCB20CF9AD894A8EBFF9BF48314F15802AE919AB310D7749905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0186F880, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 0186F934

Memory Dump Source

Source File: 00000001.00000002.916322621.0000000001860000.00000040.00000001.sdmp, Offset: 01860000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f769458ccb6ef1535cb88d3017317d345b4c08f2a11a0a1f1adfe5a7bd389e5e
Instruction ID: 0c8756aaf5a34909d857c90034974174831a1c684561feb3e9e857ae8ad68ac9
Opcode Fuzzy Hash: f769458ccb6ef1535cb88d3017317d345b4c08f2a11a0a1f1adfe5a7bd389e5e
Instruction Fuzzy Hash: 9B310FB0D042489FDB14CF99C584A8EFFF5BF49304F29816AE909AB300C7759985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01766DD0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01766E5F

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 25ad14effee207f61941316624112fb356bd9f6afc2960fbc15afb09aa79ce6c
Instruction ID: f7173b029f23302db0a8f4b550ffb539db2f5c3ffd3b99e41d60037d4042dcc2
Opcode Fuzzy Hash: 25ad14effee207f61941316624112fb356bd9f6afc2960fbc15afb09aa79ce6c
Instruction Fuzzy Hash: 5B21E5B5901208AFDB10CFA9D984ADEFBF8FB58324F14801AE914A7310D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01766DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01766E5F

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e74b959c3db239b6e997fed436cebf28d21d55899e706e2e6cf313ce0b5ff1a
Instruction ID: 9fcfc4d73674b1691f34ca725bdd8a3d81ac335716c8263122dd4ed6e4865718
Opcode Fuzzy Hash: 5e74b959c3db239b6e997fed436cebf28d21d55899e706e2e6cf313ce0b5ff1a
Instruction Fuzzy Hash: DD21C4B59002089FDB10CFAAD984ADEFBF8FB48324F14841AE914A3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176AD78, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0176BE81,00000800,00000000,00000000), ref: 0176C092

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 497851149cc761581922f0a801836deffcb9d6ed4be47366a084958bff069e75
Instruction ID: b5a91aaaccde2fc6c3e8e65e3bbbfb0c0d826f9b4fedd9273daa3b454ae17700
Opcode Fuzzy Hash: 497851149cc761581922f0a801836deffcb9d6ed4be47366a084958bff069e75
Instruction Fuzzy Hash: C91117B69042489FDB14CF9AC844BDEFBF8EB99314F04852ED955A7200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176C020, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0176BE81,00000800,00000000,00000000), ref: 0176C092

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b82e8af14bb22e64c4ff1ae415d8e09b6614ff750fa5480401483aabf4c723ed
Instruction ID: 3097b43487cc8f9b11fbaa6de70c2c88173a241f9040f5807e37e03bbf2fbc7c
Opcode Fuzzy Hash: b82e8af14bb22e64c4ff1ae415d8e09b6614ff750fa5480401483aabf4c723ed
Instruction Fuzzy Hash: EA1144B2C002488FDB20CF9AC884BDEFBF8FB99314F04852AD915A7200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176BDA0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0176BE06

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7ab0ba7800efaddbbb95b9862695b9bab0103bc44484befdcfe5f71030207a2d
Instruction ID: a2e9862b9178289f3dcbd896ce555b5ff9dff51e5428989d54abf8398b109251
Opcode Fuzzy Hash: 7ab0ba7800efaddbbb95b9862695b9bab0103bc44484befdcfe5f71030207a2d
Instruction Fuzzy Hash: E61113B1D002098FDB14CF9AC844BDEFBF8AF89324F10842AD929B7200C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01837010, Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916299078.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd9680434f8120bc49ff34beca49aa5ecdd38e1011424fd184c41720dea12b9
Instruction ID: d00727aa96f614b65bc46056360f921604a65afe00286dd5d5774b0b359276d7
Opcode Fuzzy Hash: bbd9680434f8120bc49ff34beca49aa5ecdd38e1011424fd184c41720dea12b9
Instruction Fuzzy Hash: 6212B03070D3859FE70297299C546A67FF59B82304F1A80E7E558CF6A3D638ED09C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0176C2A8, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc017b164c7820cae3ef53486e907cdbacd66e5b72042c5ac20072aeea24ef5
Instruction ID: 948669fe2ef236ddb69cec0f78cb882898501210282f4a23204fbcda34f2c480
Opcode Fuzzy Hash: cdc017b164c7820cae3ef53486e907cdbacd66e5b72042c5ac20072aeea24ef5
Instruction Fuzzy Hash: 5F5248B1600B068FD725CF1AE88859D7FA1FB45338F90C20CD6615BA99D3B6764ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0176AB34, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916101998.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14386a4f12429826f08d299573af9fe871a99b7b8aa2d7afbb75801917085afd
Instruction ID: a45d3434a4ca07dc262b0a5e6dd00b86b2f4fce9d887971fd37b5d34bbfc55c4
Opcode Fuzzy Hash: 14386a4f12429826f08d299573af9fe871a99b7b8aa2d7afbb75801917085afd
Instruction Fuzzy Hash: 21A13B32F0021A9FCF15DFA9C8445DEFBB6FF89300B15856AE905BB225EB31A955CB40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Swift doc. ZD.1.19022021_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations