Loading ...

Play interactive tourEdit tour

Analysis Report 20210504_20210405.exe

Overview

General Information

Sample Name:20210504_20210405.exe
Analysis ID:404243
MD5:f40f9b893ced71cb1ca32422ccd18d75
SHA1:0d109db09fc59e2c15b17f401919be62ff061742
SHA256:97eba4e44b5a777231316e709cb9eda7bd9670034fdac573724347196acfcf57
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla Telegram RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 20210504_20210405.exe (PID: 7000 cmdline: 'C:\Users\user\Desktop\20210504_20210405.exe' MD5: F40F9B893CED71CB1CA32422CCD18D75)
    • 20210504_20210405.exe (PID: 7076 cmdline: C:\Users\user\Desktop\20210504_20210405.exe MD5: F40F9B893CED71CB1CA32422CCD18D75)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1354205151", "Chat URL": "https://api.telegram.org/bot1437981864:AAFmXsejy8kUC_pj3BwrEvAeb2cv12XMVZI/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.912316096.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.657827131.0000000003BE9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.20210504_20210405.exe.3dd7748.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.20210504_20210405.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.20210504_20210405.exe.3c88898.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.20210504_20210405.exe.3dd7748.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 1.2.20210504_20210405.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1354205151", "Chat URL": "https://api.telegram.org/bot1437981864:AAFmXsejy8kUC_pj3BwrEvAeb2cv12XMVZI/sendDocument"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: 20210504_20210405.exeReversingLabs: Detection: 13%
                    Machine Learning detection for sampleShow sources
                    Source: 20210504_20210405.exeJoe Sandbox ML: detected
                    Source: 1.2.20210504_20210405.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 20210504_20210405.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
                    Source: 20210504_20210405.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking:

                    barindex
                    Uses the Telegram API (likely for C&C communication)Show sources
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS traffic detected: queries for: api.telegram.org
                    Source: 20210504_20210405.exe, 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: 20210504_20210405.exe, 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: 20210504_20210405.exe, 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://LKsSWf.com
                    Source: 20210504_20210405.exe, 00000001.00000002.914611347.00000000035A7000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                    Source: 20210504_20210405.exe, 00000001.00000002.913117138.0000000001583000.00000004.00000020.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                    Source: 20210504_20210405.exe, 00000001.00000002.913117138.0000000001583000.00000004.00000020.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                    Source: 20210504_20210405.exe, 00000001.00000002.913117138.0000000001583000.00000004.00000020.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                    Source: 20210504_20210405.exe, 00000001.00000002.913117138.0000000001583000.00000004.00000020.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
                    Source: 20210504_20210405.exe, 00000001.00000002.914611347.00000000035A7000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                    Source: 20210504_20210405.exe, 00000001.00000002.914611347.00000000035A7000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                    Source: 20210504_20210405.exe, 00000001.00000002.913117138.0000000001583000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                    Source: 20210504_20210405.exe, 00000001.00000002.914611347.00000000035A7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                    Source: 20210504_20210405.exe, 00000001.00000002.914611347.00000000035A7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                    Source: 20210504_20210405.exe, 00000000.00000002.656756518.0000000002BE1000.00000004.00000001.sdmp, 20210504_20210405.exe, 00000001.00000002.914571014.0000000003592000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 20210504_20210405.exeString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
                    Source: 20210504_20210405.exe, 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://ZjkYYZZsvgTe1lRecEb.org
                    Source: 20210504_20210405.exe, 00000001.00000002.914571014.0000000003592000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                    Source: 20210504_20210405.exe, 00000000.00000002.657827131.0000000003BE9000.00000004.00000001.sdmp, 20210504_20210405.exe, 00000001.00000002.912316096.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1437981864:AAFmXsejy8kUC_pj3BwrEvAeb2cv12XMVZI/
                    Source: 20210504_20210405.exe, 00000001.00000002.913247711.0000000001614000.00000004.00000020.sdmp, 20210504_20210405.exe, 00000001.00000002.914571014.0000000003592000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1437981864:AAFmXsejy8kUC_pj3BwrEvAeb2cv12XMVZI/sendDocument
                    Source: 20210504_20210405.exe, 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1437981864:AAFmXsejy8kUC_pj3BwrEvAeb2cv12XMVZI/sendDocumentdocument-----
                    Source: 20210504_20210405.exe, 00000001.00000002.914571014.0000000003592000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org41k
                    Source: 20210504_20210405.exe, 00000001.00000002.914611347.00000000035A7000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                    Source: 20210504_20210405.exeString found in binary or memory: https://github.com/MrCylops
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                    Source: 20210504_20210405.exe, 00000000.00000002.657827131.0000000003BE9000.00000004.00000001.sdmp, 20210504_20210405.exe, 00000001.00000002.912316096.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: 20210504_20210405.exe, 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
                    Source: 20210504_20210405.exe, 00000000.00000002.656452480.000000000101A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: 1.2.20210504_20210405.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b253D0FE2u002d0B97u002d45E1u002dB884u002dBFFB83F13532u007d/u00360D41ECDu002d5AACu002d45FAu002d816Au002d5D4E877E72F3.csLarge array initialization: .cctor: array initializer size 12005
                    Source: C:\Users\user\Desktop\20210504_20210405.exeCode function: 0_2_02A5C2B00_2_02A5C2B0
                    Source: C:\Users\user\Desktop\20210504_20210405.exeCode function: 0_2_02A599900_2_02A59990
                    Source: C:\Users\user\Desktop\20210504_20210405.exeCode function: 1_2_019747A01_2_019747A0
                    Source: C:\Users\user\Desktop\20210504_20210405.exeCode function: 1_2_019747901_2_01974790
                    Source: C:\Users\user\Desktop\20210504_20210405.exeCode function: 1_2_0197D8201_2_0197D820
                    Source: C:\Users\user\Desktop\20210504_20210405.exeCode function: 1_2_063775001_2_06377500
                    Source: C:\Users\user\Desktop\20210504_20210405.exeCode function: 1_2_0637C0681_2_0637C068
                    Source: 20210504_20210405.exe, 00000000.00000002.661384199.0000000006000000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000000.00000002.656060865.0000000000932000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStubHelpers.exe> vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000000.00000002.657827131.0000000003BE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyucdRfGqglLYCNzNFxRTIcmGQtCfMFXvJrSvO.exe4 vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000000.00000002.656452480.000000000101A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000000.00000002.656756518.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000001.00000002.912485712.0000000000EB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStubHelpers.exe> vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000001.00000002.912316096.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyucdRfGqglLYCNzNFxRTIcmGQtCfMFXvJrSvO.exe4 vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000001.00000002.917451675.0000000006B70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 20210504_20210405.exe
                    Source: 20210504_20210405.exe, 00000001.00000002.912616106.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 20210504_20210405.exe
                    Source: 20210504_20210405.exeBinary or memory string: OriginalFilenameStubHelpers.exe> vs 20210504_20210405.exe
                    Source: 20210504_20210405.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 20210504_20210405.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 1.2.20210504_20210405.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 1.2.20210504_20210405.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20210504_20210405.exe.logJump to behavior
                    Source: 20210504_20210405.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\20210504_20210405.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\20210504_20210405.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                    Source: 20210504_20210405.exeReversingLabs: Detection: 13%
                    Source: unknownProcess created: C:\Users\user\Desktop\20210504_20210405.exe 'C:\Users\user\Desktop\20210504_20210405.exe'
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess created: C:\Users\user\Desktop\20210504_20210405.exe C:\Users\user\Desktop\20210504_20210405.exe
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess created: C:\Users\user\Desktop\20210504_20210405.exe C:\Users\user\Desktop\20210504_20210405.exeJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: 20210504_20210405.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 20210504_20210405.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: 20210504_20210405.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 20210504_20210405.exeStatic PE information: 0xF2EE6F15 [Wed Feb 25 14:17:57 2099 UTC]
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.66441131733
                    Source: C:\Users\user\Desktop\20210504_20210405.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7000, type: MEMORY
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\20210504_20210405.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWindow / User API: threadDelayed 416Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWindow / User API: threadDelayed 9429Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exe TID: 7004Thread sleep time: -103034s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exe TID: 4552Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exe TID: 768Thread sleep count: 416 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exe TID: 768Thread sleep count: 9429 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\20210504_20210405.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\20210504_20210405.exeThread delayed: delay time: 103034Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: 20210504_20210405.exe, 00000000.00000002.656827071.0000000002C35000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: 20210504_20210405.exe, 00000001.00000002.913247711.0000000001614000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    .NET source code references suspicious native API functionsShow sources
                    Source: 20210504_20210405.exe, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                    Source: 20210504_20210405.exe, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                    Source: 0.0.20210504_20210405.exe.850000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                    Source: 0.0.20210504_20210405.exe.850000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                    Source: 0.2.20210504_20210405.exe.850000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                    Source: 0.2.20210504_20210405.exe.850000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                    Source: 1.2.20210504_20210405.exe.400000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 1.0.20210504_20210405.exe.dd0000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                    Source: 1.0.20210504_20210405.exe.dd0000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                    Source: 1.2.20210504_20210405.exe.dd0000.1.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                    Source: 1.2.20210504_20210405.exe.dd0000.1.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                    Source: C:\Users\user\Desktop\20210504_20210405.exeProcess created: C:\Users\user\Desktop\20210504_20210405.exe C:\Users\user\Desktop\20210504_20210405.exeJump to behavior
                    Source: 20210504_20210405.exe, 00000001.00000002.913601760.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: 20210504_20210405.exe, 00000001.00000002.913601760.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: 20210504_20210405.exe, 00000001.00000002.913601760.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: 20210504_20210405.exe, 00000001.00000002.913601760.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Users\user\Desktop\20210504_20210405.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Users\user\Desktop\20210504_20210405.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000001.00000002.912316096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.657827131.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7076, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7000, type: MEMORY
                    Source: Yara matchFile source: 0.2.20210504_20210405.exe.3dd7748.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.20210504_20210405.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.20210504_20210405.exe.3c88898.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.20210504_20210405.exe.3dd7748.2.raw.unpack, type: UNPACKEDPE
                    Yara detected Telegram RATShow sources
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7076, type: MEMORY
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\20210504_20210405.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\20210504_20210405.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7076, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000001.00000002.912316096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.657827131.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.913920147.0000000003231000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7076, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7000, type: MEMORY
                    Source: Yara matchFile source: 0.2.20210504_20210405.exe.3dd7748.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.20210504_20210405.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.20210504_20210405.exe.3c88898.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.20210504_20210405.exe.3dd7748.2.raw.unpack, type: UNPACKEDPE
                    Yara detected Telegram RATShow sources
                    Source: Yara matchFile source: Process Memory Space: 20210504_20210405.exe PID: 7076, type: MEMORY

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Disable or Modify Tools1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1