Loading ...

Play interactive tourEdit tour

Analysis Report HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe

Overview

General Information

Sample Name:HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
Analysis ID:433036
MD5:14f4f4356a708f1e9e18c6c71ef3153e
SHA1:a04edf6cb2d97539a509d17411a5884f75d5e5cf
SHA256:0a27c51c891f44c26d8db8848822880a8209830faf2d8c00e8729151ae76be4f
Tags:exegeoHalkbankTUR
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "service@bmrtecpack.comABdiamond6_mail.bmrtecpack.commozsahim67@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000000.217706120.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000000.217706120.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.35f2748.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.35f2748.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.0.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.0.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "service@bmrtecpack.comABdiamond6_mail.bmrtecpack.commozsahim67@gmail.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeReversingLabs: Detection: 23%
                      Machine Learning detection for sampleShow sources
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeJoe Sandbox ML: detected
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: Consistency.pdb source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: Binary string: Consistency.pdbH source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04531298
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_045329B0
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_045329B8
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04531288
                      Source: global trafficTCP traffic: 192.168.2.3:49743 -> 184.95.37.27:587
                      Source: Joe Sandbox ViewIP Address: 184.95.37.27 184.95.37.27
                      Source: Joe Sandbox ViewASN Name: SSASN2US SSASN2US
                      Source: global trafficTCP traffic: 192.168.2.3:49743 -> 184.95.37.27:587
                      Source: unknownDNS traffic detected: queries for: mail.bmrtecpack.com
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://bmrtecpack.com
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://ePfJSq.com
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://mail.bmrtecpack.com
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0B
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.484187088.0000000003334000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmp, HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000003.423100074.0000000000BC4000.00000004.00000001.sdmpString found in binary or memory: https://9YHNdCcoTaUn.org
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.220437474.0000000003539000.00000004.00000001.sdmp, HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000000.217706120.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.482152633.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219282495.000000000093B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCCE3BAC3u002d7DB4u002d40C1u002dA125u002d99E23B635274u007d/C57E4028u002d19CEu002d45FCu002d9542u002d6369A7E1B671.csLarge array initialization: .cctor: array initializer size 11977
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_00B6B5AC0_2_00B6B5AC
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_00B6E4700_2_00B6E470
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_00B6CA2B0_2_00B6CA2B
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_00B6B1E00_2_00B6B1E0
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_00B6B5A00_2_00B6B5A0
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_0453067A0_2_0453067A
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_045300D00_2_045300D0
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_045307D70_2_045307D7
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_011751143_2_01175114
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_011708983_2_01170898
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_011785483_2_01178548
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_011700403_2_01170040
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_0117E8903_2_0117E890
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_01172A583_2_01172A58
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_01172AB83_2_01172AB8
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_0123B9083_2_0123B908
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_01236C4C3_2_01236C4C
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_012400623_2_01240062
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_0124B0F03_2_0124B0F0
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_012497B83_2_012497B8
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_01245E483_2_01245E48
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_0124CF103_2_0124CF10
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_012472403_2_01247240
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenXOvOrEbczSOMbuQKuxXmuqDbcrtLzJGuFczuTT.exe4 vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.220856658.00000000036AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000000.208995346.000000000022E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsistency.exe< vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219282495.000000000093B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.220437474.0000000003539000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000002.00000000.215986662.000000000031E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsistency.exe< vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.477347413.0000000000AAE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsistency.exe< vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.479540519.00000000011A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.479505881.0000000001190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.477581620.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.476523997.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenXOvOrEbczSOMbuQKuxXmuqDbcrtLzJGuFczuTT.exe4 vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.479981873.0000000001250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeBinary or memory string: OriginalFilenameConsistency.exe< vs HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.150000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.150000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 2.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 2.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 2.0.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 2.0.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.9d0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.9d0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeMutant created: \Sessions\1\BaseNamedObjects\EEyHzFbTamTqJQq
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeReversingLabs: Detection: 23%
                      Source: unknownProcess created: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe 'C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe'
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess created: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess created: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess created: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess created: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Consistency.pdb source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe
                      Source: Binary string: Consistency.pdbH source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 0.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.150000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 2.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 2.0.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.9d0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_00B6EC68 pushad ; ret 0_2_00B6EC69
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 0_2_04532B70 pushad ; ret 0_2_04532B71
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85752472578
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'OvQg6h', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 0.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.150000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'OvQg6h', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 2.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'OvQg6h', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 2.0.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.240000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'OvQg6h', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 3.2.HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe.9d0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'OvQg6h', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe PID: 2600, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWindow / User API: threadDelayed 2445Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWindow / User API: threadDelayed 7411Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe TID: 5676Thread sleep time: -104116s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe TID: 4180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe TID: 3468Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe TID: 2172Thread sleep count: 2445 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe TID: 2172Thread sleep count: 7411 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeThread delayed: delay time: 104116Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeBinary or memory string: QEMUP
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000000.00000002.219661677.0000000002531000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.479214809.0000000001110000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeCode function: 3_2_01170898 LdrInitializeThunk,3_2_01170898
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess created: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeProcess created: C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe C:\Users\user\Desktop\HALKBANK_EKSTRE_20210611_080203_744623,PDF.exeJump to behavior
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.480682935.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.480682935.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.480682935.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: HALKBANK_EKSTRE_20210611_080203_744623,PDF.exe, 00000003.00000002.480682935.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock