Analysis Report i6xFULh8J5.exe

Overview

General Information

Sample Name:	i6xFULh8J5.exe
Analysis ID:	432660
MD5:	6c425cf25da766d3d98597a9be4e7300
SHA1:	874344555856dca223730f32ac81b8a743db4cfd
SHA256:	0b72882fbad7f826525003747565e03257ad2e9f60b70d53fe11686dfff1705c
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.1.i6xFULh8J5.exe.415058.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "no-reply@mytravelws.com", "Password": "hbhf@--8hyhb#E6g", "Host": "mail.mytravelws.com"}

Multi AV Scanner detection for submitted file

Source: i6xFULh8J5.exe

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for sample

Source: i6xFULh8J5.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.i6xFULh8J5.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.i6xFULh8J5.exe.4860000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.1.i6xFULh8J5.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\i6xFULh8J5.exe

Unpacked PE file: 1.2.i6xFULh8J5.exe.4860000.6.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\i6xFULh8J5.exe

Unpacked PE file: 1.2.i6xFULh8J5.exe.400000.1.unpack

Uses 32bit PE files

Source: i6xFULh8J5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 185.145.97.154:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.145.97.154 185.145.97.154

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HOSTWINDSUS HOSTWINDSUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 185.145.97.154:587

Source: unknown

DNS traffic detected: queries for: mail.mytravelws.com

Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp	String found in binary or memory: http://DZUhkq.com
Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: i6xFULh8J5.exe, 00000001.00000003.891159515.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: i6xFULh8J5.exe, 00000001.00000002.918823038.00000000059DD000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationScZ
Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: i6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmp	String found in binary or memory: http://mail.mytravelws.com
Source: i6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmp	String found in binary or memory: http://mytravelws.com
Source: i6xFULh8J5.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: i6xFULh8J5.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: i6xFULh8J5.exe, 00000001.00000002.915499236.0000000002696000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000003.871081377.0000000004FC1000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915635781.0000000002704000.00000004.00000001.sdmp	String found in binary or memory: https://Aloa82nGvgBCiZ.org
Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: i6xFULh8J5.exe, 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\i6xFULh8J5.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\i6xFULh8J5.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Detected potential crypto function

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 0_2_6FC71A98	0_2_6FC71A98
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_05969919	1_3_05969919

PE file contains strange resources

Source: i6xFULh8J5.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: i6xFULh8J5.exe, 00000000.00000003.654308462.0000000009D0F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs i6xFULh8J5.exe
Source: i6xFULh8J5.exe, 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJXRsApCFgOIPRvMvtWyWbNCN.exe4 vs i6xFULh8J5.exe
Source: i6xFULh8J5.exe, 00000001.00000002.913725980.0000000000199000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs i6xFULh8J5.exe
Source: i6xFULh8J5.exe, 00000001.00000002.914372440.0000000000840000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs i6xFULh8J5.exe
Source: i6xFULh8J5.exe, 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJXRsApCFgOIPRvMvtWyWbNCN.exe4 vs i6xFULh8J5.exe
Source: i6xFULh8J5.exe, 00000001.00000002.919010044.0000000005F70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs i6xFULh8J5.exe
Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs i6xFULh8J5.exe

Uses 32bit PE files

Source: i6xFULh8J5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@4/1

Source: C:\Users\user\Desktop\i6xFULh8J5.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\Desktop\i6xFULh8J5.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\Desktop\i6xFULh8J5.exe

File created: C:\Users\user\AppData\Roaming\xnpbd3fr.5ju

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'	Jump to behavior

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 0_2_6FC72F60 push eax; ret	0_2_6FC72F8E
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_05979E84 push ecx; iretd	1_3_05979E89
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_05979E84 push ecx; iretd	1_3_05979E89
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_0597E21F push edx; retf	1_3_0597E221
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_0597C107 pushad ; retf	1_3_0597C115
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_0597E20D push edx; retf	1_3_0597E21E
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_0597E250 push eax; retf	1_3_0597E251
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_0597E25A push edx; retf	1_3_0597E25B
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_0597CD64 pushad ; ret	1_3_0597CD65
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_05979E84 push ecx; iretd	1_3_05979E89
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_05979E84 push ecx; iretd	1_3_05979E89
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Code function: 1_3_05965B3B push FFFFFFDBh; iretd	1_3_05965B4C

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Window / User API: threadDelayed 626			Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Window / User API: threadDelayed 9227			Jump to behavior

Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5872	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5868	Thread sleep count: 626 > 30	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5868	Thread sleep count: 9227 > 30	Jump to behavior

Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.2310000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.3385530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.i6xFULh8J5.exe.22d1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.4860000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.2310000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.i6xFULh8J5.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.i6xFULh8J5.exe.22c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.563db8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.3385530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.i6xFULh8J5.exe.22d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.i6xFULh8J5.exe.563db8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.i6xFULh8J5.exe.22c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.i6xFULh8J5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.i6xFULh8J5.exe.415058.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\i6xFULh8J5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i6xFULh8J5.exe PID: 6956, type: MEMORY

Name	IP	Active
mytravelws.com	185.145.97.154	true
mail.mytravelws.com	unknown	unknown

ID:	432660
Product:	CloudBasic
Start time:	16:30:27
Start date:	10.06.2021
Sample:	i6xFULh8J5.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6c425cf25da766d3d98597a9be4e7300
SHA1:	874344555856dca223730f32ac81b8a743db4cfd
SHA256:	0b72882fbad7f826525003747565e03257ad2e9f60b70d53fe11686dfff1705c
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\cngupzj2oe	data	50C707C4A6C86D7DEEA6AB366421D287	D8C267A75759ACFA4C41440FA114F1537C1C6DEB	D318B7EA53EA3BAEA3077BDF6A509F5795F50347BCED88553B49224322115CBF
C:\Users\user\AppData\Local\Temp\imrixuzycldld	data	9C22DFC73C577BE53A2D0216ED1D846F	B6C3D777BFD8D4EA20AF30D77D413B50B558CB88	CC6D0EC0C062FBB1934B0CDE671CD19F10130B7773F707F3CEBFC48841268DE3
C:\Users\user\AppData\Local\Temp\nsm5CFB.tmp	data	779592F0B8F98EBF3E724421735E1876	97C3E60CF03CBF2F57F78A172E09A53DB520F9E5	9066D1B11F2B6FB122A37F20AA9DFD2FFFC99230A3328844E5BFBB79857FCE9A
C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FCCFF8CB7A1067E23FD2E2B63971A8E1	30E2A9E137C1223A78A0F7B0BF96A1C361976D91	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
C:\Users\user\AppData\Roaming\xnpbd3fr.5ju\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	A7FE10DA330AD03BF22DC9AC76BBB3E4	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8

Analysis Report i6xFULh8J5.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains