Loading ...

Play interactive tourEdit tour

Analysis Report Factura PO 1541973.exe

Overview

General Information

Sample Name:Factura PO 1541973.exe
Analysis ID:433037
MD5:429a3063db13e84f8e0843f46b60753e
SHA1:de9221c73fe3610393f1f9197dfecf0896ed776c
SHA256:62e122a12ea4ccace679e22b13975e1f0e476dda8373279d99b757635c8b06dc
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Factura PO 1541973.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\Factura PO 1541973.exe' MD5: 429A3063DB13E84F8E0843F46B60753E)
    • schtasks.exe (PID: 7084 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVzZfJoExG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2A03.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Factura PO 1541973.exe (PID: 7136 cmdline: C:\Users\user\Desktop\Factura PO 1541973.exe MD5: 429A3063DB13E84F8E0843F46B60753E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "dubai@skycomex.com@EHbqYU1us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.654058658.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.654058658.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000002.910233629.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.910233629.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.657464491.0000000003FA5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.Factura PO 1541973.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.Factura PO 1541973.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Factura PO 1541973.exe.404fad0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Factura PO 1541973.exe.404fad0.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    4.2.Factura PO 1541973.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "dubai@skycomex.com@EHbqYU1us2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\lVzZfJoExG.exeMetadefender: Detection: 20%Perma Link
                      Source: C:\Users\user\AppData\Roaming\lVzZfJoExG.exeReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Factura PO 1541973.exeVirustotal: Detection: 34%Perma Link
                      Source: Factura PO 1541973.exeMetadefender: Detection: 20%Perma Link
                      Source: Factura PO 1541973.exeReversingLabs: Detection: 34%
                      Source: 4.2.Factura PO 1541973.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.Factura PO 1541973.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: Factura PO 1541973.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Factura PO 1541973.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\pVNuovjPXl\src\obj\Debug\ConstructorInfo.pdbL source: Factura PO 1541973.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\pVNuovjPXl\src\obj\Debug\ConstructorInfo.pdb source: Factura PO 1541973.exe

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49771 -> 208.91.199.223:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49772 -> 208.91.199.223:587
                      Source: global trafficTCP traffic: 192.168.2.4:49771 -> 208.91.199.223:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                      Source: global trafficTCP traffic: 192.168.2.4:49771 -> 208.91.199.223:587
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                      Source: Factura PO 1541973.exe, 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Factura PO 1541973.exe, 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Factura PO 1541973.exe, 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmp, Factura PO 1541973.exe, 00000004.00000003.858298741.0000000000BC4000.00000004.00000001.sdmpString found in binary or memory: http://kCE9JYg5iS.com
                      Source: Factura PO 1541973.exe, 00000000.00000002.655902349.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Factura PO 1541973.exe, 00000004.00000002.912784647.0000000002DF5000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: Factura PO 1541973.exe, 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://wJzLSk.com
                      Source: Factura PO 1541973.exe, 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: Factura PO 1541973.exe, 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Factura PO 1541973.exe, 00000000.00000002.657464491.0000000003FA5000.00000004.00000001.sdmp, Factura PO 1541973.exe, 00000004.00000000.654058658.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Factura PO 1541973.exe, 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.0.Factura PO 1541973.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE03313AEu002d3B32u002d4C21u002d8888u002d76A497628B03u007d/u00356DE45A1u002d0E78u002d48B9u002dA86Au002d089C7C45AC59.csLarge array initialization: .cctor: array initializer size 11957
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_013BC3A00_2_013BC3A0
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_013BA7580_2_013BA758
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9B6280_2_05D9B628
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9C0480_2_05D9C048
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9822E0_2_05D9822E
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9AD980_2_05D9AD98
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9CFB00_2_05D9CFB0
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D97B000_2_05D97B00
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D975500_2_05D97550
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D975400_2_05D97540
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9F5300_2_05D9F530
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9B6180_2_05D9B618
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9A1900_2_05D9A190
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9A1A00_2_05D9A1A0
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9F0980_2_05D9F098
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9B0500_2_05D9B050
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D900400_2_05D90040
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9B0600_2_05D9B060
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D900070_2_05D90007
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9C0380_2_05D9C038
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9F2D00_2_05D9F2D0
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_05D9AD920_2_05D9AD92
                      Source: Factura PO 1541973.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lVzZfJoExG.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Factura PO 1541973.exe, 00000000.00000002.660645491.000000000BFC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000000.00000002.657464491.0000000003FA5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVBQEHAlZHGNDbNAwDJmWxqJmACCGvaNOCDccRWP.exe4 vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000000.00000002.660113293.0000000005F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000000.00000002.661127774.000000000C0B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000000.00000002.661127774.000000000C0B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000000.00000002.655024928.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorInfo.exe< vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000004.00000002.910233629.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVBQEHAlZHGNDbNAwDJmWxqJmACCGvaNOCDccRWP.exe4 vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000004.00000002.911552216.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000004.00000002.911598571.0000000000FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000004.00000000.654201525.00000000006E6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorInfo.exe< vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000004.00000002.911323137.0000000000D9A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exe, 00000004.00000002.910525371.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exeBinary or memory string: OriginalFilenameConstructorInfo.exe< vs Factura PO 1541973.exe
                      Source: Factura PO 1541973.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Factura PO 1541973.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: lVzZfJoExG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 4.0.Factura PO 1541973.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.Factura PO 1541973.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@1/1
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile created: C:\Users\user\AppData\Roaming\lVzZfJoExG.exeJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeMutant created: \Sessions\1\BaseNamedObjects\vWppkWwsbmKGuLII
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2A03.tmpJump to behavior
                      Source: Factura PO 1541973.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: Factura PO 1541973.exeVirustotal: Detection: 34%
                      Source: Factura PO 1541973.exeMetadefender: Detection: 20%
                      Source: Factura PO 1541973.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile read: C:\Users\user\Desktop\Factura PO 1541973.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Factura PO 1541973.exe 'C:\Users\user\Desktop\Factura PO 1541973.exe'
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVzZfJoExG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2A03.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess created: C:\Users\user\Desktop\Factura PO 1541973.exe C:\Users\user\Desktop\Factura PO 1541973.exe
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVzZfJoExG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2A03.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess created: C:\Users\user\Desktop\Factura PO 1541973.exe C:\Users\user\Desktop\Factura PO 1541973.exeJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Factura PO 1541973.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Factura PO 1541973.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Factura PO 1541973.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\pVNuovjPXl\src\obj\Debug\ConstructorInfo.pdbL source: Factura PO 1541973.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\pVNuovjPXl\src\obj\Debug\ConstructorInfo.pdb source: Factura PO 1541973.exe
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_013B043B pushad ; ret 0_2_013B0442
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeCode function: 0_2_013B0438 pushad ; ret 0_2_013B043A
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.96018720186
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.96018720186
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile created: C:\Users\user\AppData\Roaming\lVzZfJoExG.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVzZfJoExG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2A03.tmp'
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Factura PO 1541973.exe PID: 6920, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWindow / User API: threadDelayed 922Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWindow / User API: threadDelayed 8896Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exe TID: 6924Thread sleep time: -102917s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exe TID: 6964Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exe TID: 6000Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exe TID: 6012Thread sleep count: 922 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exe TID: 6012Thread sleep count: 8896 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exe TID: 6000Thread sleep count: 35 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeThread delayed: delay time: 102917Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Factura PO 1541973.exe, 00000004.00000003.871802773.0000000000E81000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlles\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Factura PO 1541973.exe, 00000000.00000002.655976100.0000000002DDB000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeMemory written: C:\Users\user\Desktop\Factura PO 1541973.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVzZfJoExG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2A03.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeProcess created: C:\Users\user\Desktop\Factura PO 1541973.exe C:\Users\user\Desktop\Factura PO 1541973.exeJump to behavior
                      Source: Factura PO 1541973.exe, 00000004.00000002.911734288.0000000001420000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Factura PO 1541973.exe, 00000004.00000002.911734288.0000000001420000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Factura PO 1541973.exe, 00000004.00000002.911734288.0000000001420000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Factura PO 1541973.exe, 00000004.00000002.911734288.0000000001420000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Users\user\Desktop\Factura PO 1541973.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Users\user\Desktop\Factura PO 1541973.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000000.654058658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.910233629.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.657464491.0000000003FA5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.0.Factura PO 1541973.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Factura PO 1541973.exe.404fad0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Factura PO 1541973.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Factura PO 1541973.exe.404fad0.2.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000000.654058658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.910233629.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.657464491.0000000003FA5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.912086324.0000000002A91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Factura PO 1541973.exe PID: 7136, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Factura PO 1541973.exe PID: 6920, type: MEMORY
                      Source: Yara matchFile source: 4.0.Factura PO 1541973.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Factura PO 1541973.exe.404fad0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Factura PO 1541973.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Factura PO 1541973.exe.404fad0.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Factura PO 1541973.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data