Loading ...

Play interactive tourEdit tour

Analysis Report mal5.exe

Overview

General Information

Sample Name:mal5.exe
Analysis ID:383921
MD5:082b50aa4a4ccaea6b415de2e968ad47
SHA1:d6fb2b9d96280dd812325fe8338f646dd918cfdb
SHA256:6ed8f5c23004500f4125edd751c5129935bb62a182d5922b1108fb618bf45961
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • mal5.exe (PID: 400 cmdline: 'C:\Users\user\Desktop\mal5.exe' MD5: 082B50AA4A4CCAEA6B415DE2E968AD47)
    • mal5.exe (PID: 4672 cmdline: 'C:\Users\user\Desktop\mal5.exe' MD5: 082B50AA4A4CCAEA6B415DE2E968AD47)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "vladmir@mail.commarcellinussmtp.mail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.235962942.0000000000414000.00000040.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.240515409.000000001ED80000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: mal5.exe PID: 400JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: mal5.exe PID: 4672JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.mal5.exe.1ed91458.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.mal5.exe.1ed80000.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.1.mal5.exe.415058.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.1.mal5.exe.415058.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.1.mal5.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 2 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 1.1.mal5.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "vladmir@mail.commarcellinussmtp.mail.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: mal5.exeVirustotal: Detection: 31%Perma Link
                    Source: 1.1.mal5.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: mal5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: Binary string: wntdll.pdbUGP source: mal5.exe, 00000000.00000003.230970902.000000001EDD0000.00000004.00000001.sdmp
                    Source: Binary string: wntdll.pdb source: mal5.exe, 00000000.00000003.230970902.000000001EDD0000.00000004.00000001.sdmp
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00404A29 FindFirstFileExW,1_1_00404A29
                    Source: global trafficTCP traffic: 192.168.2.5:49724 -> 74.208.5.15:587
                    Source: Joe Sandbox ViewIP Address: 74.208.5.15 74.208.5.15
                    Source: global trafficTCP traffic: 192.168.2.5:49724 -> 74.208.5.15:587
                    Source: unknownDNS traffic detected: queries for: smtp.mail.com
                    Source: mal5.exe, 00000001.00000003.453704024.0000000005AB8000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
                    Source: mal5.exe, 00000001.00000003.453704024.0000000005AB8000.00000004.00000001.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
                    Source: mal5.exe, 00000001.00000003.453704024.0000000005AB8000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: mal5.exe, 00000001.00000003.453704024.0000000005AB8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: mal5.exe, 00000001.00000003.453704024.0000000005AB8000.00000004.00000001.sdmpString found in binary or memory: http://status.geotrust.com0=
                    Source: mal5.exe, 00000001.00000003.453704024.0000000005AB8000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: mal5.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_004046A70_2_004046A7
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_0040A2A51_1_0040A2A5
                    Source: mal5.exe, 00000000.00000003.236568306.000000001F0CF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mal5.exe
                    Source: mal5.exe, 00000000.00000002.240515409.000000001ED80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegaFhfKWnVkfloSqIdHKFOomGmLSlSUQjbqMZ.exe4 vs mal5.exe
                    Source: mal5.exeBinary or memory string: OriginalFilename vs mal5.exe
                    Source: mal5.exe, 00000001.00000001.235962942.0000000000414000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamegaFhfKWnVkfloSqIdHKFOomGmLSlSUQjbqMZ.exe4 vs mal5.exe
                    Source: mal5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/3@1/1
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,1_1_00401489
                    Source: C:\Users\user\Desktop\mal5.exeFile created: C:\Users\user\AppData\Local\Temp\nsfC309.tmpJump to behavior
                    Source: mal5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\mal5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\mal5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\mal5.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: mal5.exeVirustotal: Detection: 31%
                    Source: C:\Users\user\Desktop\mal5.exeFile read: C:\Users\user\Desktop\mal5.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\mal5.exe 'C:\Users\user\Desktop\mal5.exe'
                    Source: C:\Users\user\Desktop\mal5.exeProcess created: C:\Users\user\Desktop\mal5.exe 'C:\Users\user\Desktop\mal5.exe'
                    Source: C:\Users\user\Desktop\mal5.exeProcess created: C:\Users\user\Desktop\mal5.exe 'C:\Users\user\Desktop\mal5.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Binary string: wntdll.pdbUGP source: mal5.exe, 00000000.00000003.230970902.000000001EDD0000.00000004.00000001.sdmp
                    Source: Binary string: wntdll.pdb source: mal5.exe, 00000000.00000003.230970902.000000001EDD0000.00000004.00000001.sdmp
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00401F16 push ecx; ret 1_1_00401F29
                    Source: C:\Users\user\Desktop\mal5.exeFile created: C:\Users\user\AppData\Local\Temp\nsaC339.tmp\2zz1gp0k.dllJump to dropped file
                    Source: C:\Users\user\Desktop\mal5.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\mal5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\mal5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\mal5.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeWindow / User API: threadDelayed 5393Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeWindow / User API: threadDelayed 4386Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exe TID: 5532Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exe TID: 5356Thread sleep count: 5393 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exe TID: 5356Thread sleep count: 4386 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\mal5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00404A29 FindFirstFileExW,1_1_00404A29
                    Source: C:\Users\user\Desktop\mal5.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_73361000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73361000
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_02B72FAF mov eax, dword ptr fs:[00000030h]0_2_02B72FAF
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_02B72CEA mov eax, dword ptr fs:[00000030h]0_2_02B72CEA
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]1_1_004035F1
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_004067FE GetProcessHeap,1_1_004067FE
                    Source: C:\Users\user\Desktop\mal5.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00401E1D SetUnhandledExceptionFilter,1_1_00401E1D
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_0040446F
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_00401C88
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_00401F30
                    Source: C:\Users\user\Desktop\mal5.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Contains functionality to prevent local Windows debuggingShow sources
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 0_2_73361000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73361000
                    Maps a DLL or memory area into another processShow sources
                    Source: C:\Users\user\Desktop\mal5.exeSection loaded: unknown target: C:\Users\user\Desktop\mal5.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeProcess created: C:\Users\user\Desktop\mal5.exe 'C:\Users\user\Desktop\mal5.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_0040208D cpuid 1_1_0040208D
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeCode function: 1_1_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_1_00401B74
                    Source: C:\Users\user\Desktop\mal5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000001.00000001.235962942.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.240515409.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mal5.exe PID: 400, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mal5.exe PID: 4672, type: MEMORY
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed91458.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed80000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.1.mal5.exe.415058.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.1.mal5.exe.415058.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.1.mal5.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed91458.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed80000.5.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\mal5.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\mal5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\mal5.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\mal5.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\mal5.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000001.00000001.235962942.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.240515409.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mal5.exe PID: 400, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mal5.exe PID: 4672, type: MEMORY
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed91458.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed80000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.1.mal5.exe.415058.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.1.mal5.exe.415058.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.1.mal5.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed91458.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.mal5.exe.1ed80000.5.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection211Disable or Modify Tools1OS Credential Dumping2System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                    Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1Credentials in Registry1File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery126SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion141NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection211LSA SecretsSecurity Software Discovery14SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncVirtualization/Sandbox Evasion141Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction