Analysis Report 1g1NLI6i33.exe

Overview

General Information

Sample Name: 1g1NLI6i33.exe
Analysis ID: 404206
MD5: d0a8c2403c51ea96d820dcd443f1aaab
SHA1: 825a057b9218a956a632bdd563056be37bfc0c10
SHA256: 0c397ebc470f59440b6a317a88a2592c0b05057cea1ff2f31b9fdde549971aee
Tags: AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.1.vsbqyetogexvl.exe.415058.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "elliech@orlonimages.comchidiebere2419us2.smtp.mailhostbox.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: 1g1NLI6i33.exe Virustotal: Detection: 28% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 1g1NLI6i33.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.vsbqyetogexvl.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.1g1NLI6i33.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 7.1.vsbqyetogexvl.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 7.2.vsbqyetogexvl.exe.49b0000.5.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.1g1NLI6i33.exe.4990000.5.unpack Avira: Label: TR/Spy.Gen8
Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 9.1.vsbqyetogexvl.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 9.2.vsbqyetogexvl.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Unpacked PE file: 1.2.1g1NLI6i33.exe.4990000.5.unpack
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 9.2.vsbqyetogexvl.exe.4960000.6.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Unpacked PE file: 1.2.1g1NLI6i33.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 7.2.vsbqyetogexvl.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 9.2.vsbqyetogexvl.exe.400000.1.unpack
Uses 32bit PE files
Source: 1g1NLI6i33.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 1g1NLI6i33.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004059F0
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_0040659C FindFirstFileA,FindClose, 0_2_0040659C
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00404A29 FindFirstFileExW, 7_2_00404A29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_00404A29 FindFirstFileExW, 7_1_00404A29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00404A29 FindFirstFileExW, 9_2_00404A29

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 208.91.199.224:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.224 208.91.199.224
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 208.91.199.224:587
Source: unknown DNS traffic detected: queries for: us2.smtp.mailhostbox.com
Source: 1g1NLI6i33.exe, 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vsbqyetogexvl.exe, 00000009.00000002.914620731.000000000280A000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: http://1UVMV9Y76P8yRzwJn.net
Source: vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: 1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: http://kVHmOE.com
Source: 1g1NLI6i33.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 1g1NLI6i33.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: 1g1NLI6i33.exe, 00000001.00000002.914841865.00000000028A5000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.914664635.000000000283A000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: vsbqyetogexvl.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: 1g1NLI6i33.exe, 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040548D

System Summary:

barindex
.NET source code contains very large array initializations
Source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC17428B6u002dFFF5u002d4075u002dA591u002d98F8482E88C5u007d/B3460D8Fu002d441Du002d4B0Du002d9716u002d48CAFB425886.cs Large array initialization: .cctor: array initializer size 11945
Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, u003cPrivateImplementationDetailsu003eu007bC17428B6u002dFFF5u002d4075u002dA591u002d98F8482E88C5u007d/B3460D8Fu002d441Du002d4B0Du002d9716u002d48CAFB425886.cs Large array initialization: .cctor: array initializer size 11945
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403461
Detected potential crypto function
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_00406925 0_2_00406925
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_0040A2A5 1_2_0040A2A5
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_0069B968 1_2_0069B968
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_0069311E 1_2_0069311E
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00692618 1_2_00692618
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00695B20 1_2_00695B20
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00691FE0 1_2_00691FE0
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_006980BE 1_2_006980BE
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00697D67 1_2_00697D67
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00697DAF 1_2_00697DAF
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_0069FA58 1_2_0069FA58
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00697E11 1_2_00697E11
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_009F5801 1_2_009F5801
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_009FA448 1_2_009FA448
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_009F0040 1_2_009F0040
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_009F4330 1_2_009F4330
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_009F2020 1_2_009F2020
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_009FED6B 1_2_009FED6B
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_009FAB91 1_2_009FAB91
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_0040A2A5 7_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00AD46A0 7_2_00AD46A0
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00AD3CF6 7_2_00AD3CF6
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00AD4690 7_2_00AD4690
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_0040A2A5 7_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0040A2A5 9_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00480888 9_2_00480888
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00486890 9_2_00486890
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0048D140 9_2_0048D140
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0048AA40 9_2_0048AA40
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00484B38 9_2_00484B38
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004823E0 9_2_004823E0
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00488098 9_2_00488098
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004855C8 9_2_004855C8
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0048AA8A 9_2_0048AA8A
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004A2618 9_2_004A2618
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004A1FE0 9_2_004A1FE0
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004AB918 9_2_004AB918
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004AFA08 9_2_004AFA08
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00880040 9_2_00880040
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00882020 9_2_00882020
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0088A448 9_2_0088A448
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0088B97A 9_2_0088B97A
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_008842E0 9_2_008842E0
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0088ABA0 9_2_0088ABA0
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00B146A0 9_2_00B146A0
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00B145B0 9_2_00B145B0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: String function: 00401ED0 appears 69 times
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: String function: 0040569E appears 54 times
Sample file is different than original file name gathered from version info
Source: 1g1NLI6i33.exe, 00000000.00000003.650068345.0000000003386000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 1g1NLI6i33.exe
Source: 1g1NLI6i33.exe Binary or memory string: OriginalFilename vs 1g1NLI6i33.exe
Source: 1g1NLI6i33.exe, 00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamesaxoJzjHMNvhkvKVXjRlZ.exe4 vs 1g1NLI6i33.exe
Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs 1g1NLI6i33.exe
Source: 1g1NLI6i33.exe, 00000001.00000002.918814474.0000000005800000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs 1g1NLI6i33.exe
Source: 1g1NLI6i33.exe, 00000001.00000002.911420720.0000000000199000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 1g1NLI6i33.exe
Uses 32bit PE files
Source: 1g1NLI6i33.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/13@2/1
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403461
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040473E
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, 0_2_0040216B
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 1_2_00401489
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File created: C:\Users\user\AppData\Local\Temp\nsg55C0.tmp Jump to behavior
Source: 1g1NLI6i33.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1g1NLI6i33.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 1g1NLI6i33.exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File read: C:\Users\user\Desktop\1g1NLI6i33.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe'
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 1g1NLI6i33.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Unpacked PE file: 1.2.1g1NLI6i33.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 7.2.vsbqyetogexvl.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 9.2.vsbqyetogexvl.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Unpacked PE file: 1.2.1g1NLI6i33.exe.4990000.5.unpack
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 9.2.vsbqyetogexvl.exe.4960000.6.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Unpacked PE file: 1.2.1g1NLI6i33.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 7.2.vsbqyetogexvl.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Unpacked PE file: 9.2.vsbqyetogexvl.exe.400000.1.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA85AB push esp; ret 1_3_05AA85B1
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8D8B push esp; ret 1_3_05AA8D91
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA899B push esp; ret 1_3_05AA89A1
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA917B push esp; ret 1_3_05AA9181
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA9033 push esp; ret 1_3_05AA9039
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8463 push esp; ret 1_3_05AA8469
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8C43 push esp; ret 1_3_05AA8C49
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8853 push esp; ret 1_3_05AA8859
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA87A3 push esp; ret 1_3_05AA87A9
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA83B3 push esp; ret 1_3_05AA83B9
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8F83 push esp; ret 1_3_05AA8F89
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8B93 push esp; ret 1_3_05AA8B99
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AAE35F push edx; iretd 1_3_05AAE360
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AAEEDB push edi; retf 1_3_05AAEEDD
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA922B push esp; ret 1_3_05AA9231
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8E3B push esp; ret 1_3_05AA8E41
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA8A4B push esp; ret 1_3_05AA8A51
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_3_05AA865B push esp; ret 1_3_05AA8661
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00401F16 push ecx; ret 1_2_00401F29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00401F16 push ecx; ret 7_2_00401F29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_00401F16 push ecx; ret 7_1_00401F29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00401F16 push ecx; ret 9_2_00401F29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004A7E3F push edi; retn 0000h 9_2_004A7E41

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe File created: C:\Users\user\AppData\Local\Temp\nsu90B8.tmp\jupf00qz2dn.dll Jump to dropped file
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File created: C:\Users\user\AppData\Local\Temp\nsb55F1.tmp\jupf00qz2dn.dll Jump to dropped file
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe File created: C:\Users\user\AppData\Local\Temp\nsqAEDE.tmp\jupf00qz2dn.dll Jump to dropped file
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yhtskiwswufgck Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yhtskiwswufgck Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself to temp directory
Source: c:\users\user\desktop\1g1nli6i33.exe File moved: C:\Users\user\AppData\Local\Temp\tmpG607.tmp Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Window / User API: threadDelayed 7690 Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Window / User API: threadDelayed 2147 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Window / User API: threadDelayed 671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Window / User API: threadDelayed 9152 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1g1NLI6i33.exe TID: 6436 Thread sleep time: -23058430092136925s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe TID: 6440 Thread sleep count: 7690 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe TID: 6440 Thread sleep count: 2147 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6032 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6948 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 4972 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6180 Thread sleep count: 671 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6180 Thread sleep count: 9152 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 4972 Thread sleep count: 42 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1g1NLI6i33.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004059F0
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_0040659C FindFirstFileA,FindClose, 0_2_0040659C
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00404A29 FindFirstFileExW, 7_2_00404A29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_00404A29 FindFirstFileExW, 7_1_00404A29
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00404A29 FindFirstFileExW, 9_2_00404A29
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 1g1NLI6i33.exe, 00000001.00000002.919212773.0000000005A90000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00480888 LdrInitializeThunk, 9_2_00480888
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_10001000 mov eax, dword ptr fs:[00000030h] 0_2_10001000
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h] 1_2_004035F1
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 6_2_10001000 mov eax, dword ptr fs:[00000030h] 6_2_10001000
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 6_2_0304220D mov eax, dword ptr fs:[00000030h] 6_2_0304220D
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 6_2_03041F48 mov eax, dword ptr fs:[00000030h] 6_2_03041F48
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_004035F1 mov eax, dword ptr fs:[00000030h] 7_2_004035F1
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_004035F1 mov eax, dword ptr fs:[00000030h] 7_1_004035F1
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 8_2_023D220D mov eax, dword ptr fs:[00000030h] 8_2_023D220D
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 8_2_023D1F48 mov eax, dword ptr fs:[00000030h] 8_2_023D1F48
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_004035F1 mov eax, dword ptr fs:[00000030h] 9_2_004035F1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_004067FE GetProcessHeap, 1_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_10001509 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10001509
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00401E1D SetUnhandledExceptionFilter, 1_2_00401E1D
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401C88
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401F30
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 6_2_10001509 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_10001509
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00401E1D SetUnhandledExceptionFilter, 7_2_00401E1D
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0040446F
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00401C88
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00401F30
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_00401E1D SetUnhandledExceptionFilter, 7_1_00401E1D
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_1_0040446F
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_1_00401C88
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 7_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_1_00401F30
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00401E1D SetUnhandledExceptionFilter, 9_2_00401E1D
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_0040446F
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00401C88
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Code function: 9_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00401F30
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Section loaded: unknown target: C:\Users\user\Desktop\1g1NLI6i33.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Process created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Process created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' Jump to behavior
Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_0040208D cpuid 1_2_0040208D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00401B74
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Code function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403461
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.915225171.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.703927470.00000000006CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915437676.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.692221014.0000000003060000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000001.699094253.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704217438.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.916955385.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.703400223.0000000002430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704708468.0000000004970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.912144653.00000000005D9000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.916873369.0000000004920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.912048818.00000000004E9000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.686936007.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.914107097.00000000024F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.703482798.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.911491892.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704751452.00000000049B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911383328.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.654628131.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1g1NLI6i33.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 6584, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 6712, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 900, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 6956, type: MEMORY
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.24f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.6e6240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.4970000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23e1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3060000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.4920000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.3535530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.3555530.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2430000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.34e5530.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.4920000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.3535530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2441458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.6e6240.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.34e5530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3071458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.5f91f8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.49b0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3060000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.504600.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.5f91f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.504600.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3071458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2430000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.4970000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23e1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.3555530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.24f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2441458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\1g1NLI6i33.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1g1NLI6i33.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 6584, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 900, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.915225171.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.703927470.00000000006CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915437676.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.692221014.0000000003060000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000001.699094253.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704217438.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.916955385.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.703400223.0000000002430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704708468.0000000004970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.912144653.00000000005D9000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.916873369.0000000004920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.912048818.00000000004E9000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.686936007.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.914107097.00000000024F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.703482798.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.911491892.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704751452.00000000049B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911383328.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.654628131.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1g1NLI6i33.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 6584, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 6712, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 900, type: MEMORY
Source: Yara match File source: Process Memory Space: vsbqyetogexvl.exe PID: 6956, type: MEMORY
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.24f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.6e6240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.4970000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23e1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3060000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.4920000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.3535530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.3555530.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2430000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.34e5530.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.4920000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.3535530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2441458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.6e6240.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.34e5530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3071458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.5f91f8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.49b0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3060000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.504600.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.5f91f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.504600.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vsbqyetogexvl.exe.3071458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2430000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vsbqyetogexvl.exe.4970000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1g1NLI6i33.exe.23e1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.3555530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.1g1NLI6i33.exe.24f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vsbqyetogexvl.exe.2441458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404206 Sample: 1g1NLI6i33.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 31 us2.smtp.mailhostbox.com 2->31 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 2 other signatures 2->51 7 1g1NLI6i33.exe 1 21 2->7         started        11 vsbqyetogexvl.exe 17 2->11         started        13 vsbqyetogexvl.exe 17 2->13         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\vsbqyetogexvl.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...\jupf00qz2dn.dll, PE32 7->25 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (creates a PE file in dynamic memory) 7->55 57 Detected unpacking (overwrites its own PE header) 7->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->59 15 1g1NLI6i33.exe 2 7->15         started        27 C:\Users\user\AppData\...\jupf00qz2dn.dll, PE32 11->27 dropped 61 Multi AV Scanner detection for dropped file 11->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->63 65 Machine Learning detection for dropped file 11->65 19 vsbqyetogexvl.exe 11->19         started        29 C:\Users\user\AppData\...\jupf00qz2dn.dll, PE32 13->29 dropped 67 Maps a DLL or memory area into another process 13->67 21 vsbqyetogexvl.exe 2 13->21         started        signatures6 process7 dnsIp8 33 us2.smtp.mailhostbox.com 208.91.199.224, 49768, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->33 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->35 37 Moves itself to temp directory 15->37 39 Tries to steal Mail credentials (via file access) 15->39 41 Tries to harvest and steal ftp login credentials 21->41 43 Tries to harvest and steal browser information (history, passwords, etc) 21->43 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.199.224
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.224 true