Loading ...

Play interactive tourEdit tour

Analysis Report i6xFULh8J5.exe

Overview

General Information

Sample Name:i6xFULh8J5.exe
Analysis ID:432660
MD5:6c425cf25da766d3d98597a9be4e7300
SHA1:874344555856dca223730f32ac81b8a743db4cfd
SHA256:0b72882fbad7f826525003747565e03257ad2e9f60b70d53fe11686dfff1705c
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • i6xFULh8J5.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\i6xFULh8J5.exe' MD5: 6C425CF25DA766D3D98597A9BE4E7300)
    • i6xFULh8J5.exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\i6xFULh8J5.exe' MD5: 6C425CF25DA766D3D98597A9BE4E7300)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "no-reply@mytravelws.com", "Password": "hbhf@--8hyhb#E6g", "Host": "mail.mytravelws.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.i6xFULh8J5.exe.400000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.i6xFULh8J5.exe.400000.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.i6xFULh8J5.exe.2310000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.i6xFULh8J5.exe.2310000.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.i6xFULh8J5.exe.415058.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 31 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.1.i6xFULh8J5.exe.415058.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "no-reply@mytravelws.com", "Password": "hbhf@--8hyhb#E6g", "Host": "mail.mytravelws.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: i6xFULh8J5.exeVirustotal: Detection: 13%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: i6xFULh8J5.exeJoe Sandbox ML: detected
                      Source: 1.2.i6xFULh8J5.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.i6xFULh8J5.exe.4860000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.1.i6xFULh8J5.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.4860000.6.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.400000.1.unpack
                      Source: i6xFULh8J5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
                      Source: global trafficTCP traffic: 192.168.2.4:49759 -> 185.145.97.154:587
                      Source: Joe Sandbox ViewIP Address: 185.145.97.154 185.145.97.154
                      Source: Joe Sandbox ViewASN Name: HOSTWINDSUS HOSTWINDSUS
                      Source: global trafficTCP traffic: 192.168.2.4:49759 -> 185.145.97.154:587
                      Source: unknownDNS traffic detected: queries for: mail.mytravelws.com
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://DZUhkq.com
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: i6xFULh8J5.exe, 00000001.00000003.891159515.00000000059C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: i6xFULh8J5.exe, 00000001.00000002.918823038.00000000059DD000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationScZ
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: i6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmpString found in binary or memory: http://mail.mytravelws.com
                      Source: i6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmpString found in binary or memory: http://mytravelws.com
                      Source: i6xFULh8J5.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: i6xFULh8J5.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: i6xFULh8J5.exe, 00000001.00000002.915499236.0000000002696000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000003.871081377.0000000004FC1000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915635781.0000000002704000.00000004.00000001.sdmpString found in binary or memory: https://Aloa82nGvgBCiZ.org
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: i6xFULh8J5.exe, 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_004048530_2_00404853
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_004061310_2_00406131
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_6FC71A980_2_6FC71A98
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_059699191_3_05969919
                      Source: i6xFULh8J5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: i6xFULh8J5.exe, 00000000.00000003.654308462.0000000009D0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJXRsApCFgOIPRvMvtWyWbNCN.exe4 vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.913725980.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.914372440.0000000000840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJXRsApCFgOIPRvMvtWyWbNCN.exe4 vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.919010044.0000000005F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@4/1
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404356
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile created: C:\Users\user\AppData\Roaming\xnpbd3fr.5juJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile created: C:\Users\user\AppData\Local\Temp\nsb5CBB.tmpJump to behavior
                      Source: i6xFULh8J5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: i6xFULh8J5.exeVirustotal: Detection: 13%
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Users\user\Desktop\i6xFULh8J5.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: wntdll.pdbUGP source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.4860000.6.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.400000.1.unpack
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405E88
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_6FC72F60 push eax; ret 0_2_6FC72F8E
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd 1_3_05979E89
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd 1_3_05979E89
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E21F push edx; retf 1_3_0597E221
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597C107 pushad ; retf 1_3_0597C115
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E20D push edx; retf 1_3_0597E21E
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E250 push eax; retf 1_3_0597E251
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E25A push edx; retf 1_3_0597E25B
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597CD64 pushad ; ret 1_3_0597CD65
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd 1_3_05979E89
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd 1_3_05979E89
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05965B3B push FFFFFFDBh; iretd 1_3_05965B4C
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile created: C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dllJump to dropped file
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWindow / User API: threadDelayed 626Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWindow / User API: threadDelayed 9227Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5872Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5868Thread sleep count: 626 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5868Thread sleep count: 9227 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405E88
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeSection loaded: unknown target: C:\Users\user\Desktop\i6xFULh8J5.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe' Jump to behavior
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405B88
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.4860000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.916734898.0000000004862000.00000