Loading ...

Play interactive tourEdit tour

Analysis Report Sepa transfer advice notice Swift EUR89570 20210610.exe

Overview

General Information

Sample Name:Sepa transfer advice notice Swift EUR89570 20210610.exe
Analysis ID:433084
MD5:8c091ab1dde175164fc9441070cf6ea8
SHA1:8f61f73a9973367246cfb7469bb391926d23e94f
SHA256:84be680687949baa5cb970b2aba5fdbe772d548163921fa1b19e9e5fb14168d2
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "procurement@corroshield.co.idkramatjati1945mail.corroshield.co.idjohnmuller1922@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.472330413.0000000003201000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.465468823.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.465468823.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000006.00000000.226309172.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000000.226309172.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.3acd260.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe' , ParentImage: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe, ParentProcessId: 6004, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe', ProcessId: 6020

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000006.00000002.472330413.0000000003201000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "procurement@corroshield.co.idkramatjati1945mail.corroshield.co.idjohnmuller1922@gmail.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeVirustotal: Detection: 23%Perma Link
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeMetadefender: Detection: 22%Perma Link
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeReversingLabs: Detection: 39%
                      Machine Learning detection for sampleShow sources
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeJoe Sandbox ML: detected
                      Source: 6.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jfpfZtpgHc\src\obj\x86\Debug\HStringMarshaler.pdb source: Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: global trafficTCP traffic: 192.168.2.3:49747 -> 147.185.114.103:587
                      Source: Joe Sandbox ViewIP Address: 147.185.114.103 147.185.114.103
                      Source: Joe Sandbox ViewASN Name: KVCNET-2009US KVCNET-2009US
                      Source: global trafficTCP traffic: 192.168.2.3:49747 -> 147.185.114.103:587
                      Source: unknownDNS traffic detected: queries for: mail.corroshield.co.id
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.472330413.0000000003201000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.472330413.0000000003201000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.472330413.0000000003201000.00000004.00000001.sdmpString found in binary or memory: http://KoHxKp.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://corroshield.co.id
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: powershell.exe, 00000003.00000002.297022950.0000000000CF6000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://mail.corroshield.co.id
                      Source: powershell.exe, 00000003.00000003.275250592.0000000007B12000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.298885774.0000000004ABD000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngP
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/01
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474740364.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: powershell.exe, 00000003.00000002.298885774.0000000004ABD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234355327.0000000002971000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.298626666.0000000004981000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.298885774.0000000004ABD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000003.00000003.275250592.0000000007B12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.298885774.0000000004ABD000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.205011759.0000000005905000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204956780.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlu
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.228511522.00000000058C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.228511522.00000000058C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com)
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.205431716.00000000058FE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.205692144.00000000058D9000.00000004.00000001.sdmp, Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206181758.00000000058C7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd4
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.228511522.00000000058C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.comG
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206181758.00000000058C7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comic
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206181758.00000000058C7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion/j
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.228511522.00000000058C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionm
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206015716.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtoo
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.201053366.00000000058DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com5
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.202140470.00000000058C7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.202348930.00000000058C6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.202140470.00000000058C7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.202006678.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.202140470.00000000058C7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnx
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206563209.00000000058C5000.00000004.00000001.sdmp, Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206485105.00000000058D3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206667747.00000000058DA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmG
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmp, Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204320737.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204956780.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//dl
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204320737.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/j
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/argeu
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ns.
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204634005.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/the
                      Source: powershell.exe, 00000003.00000003.296089702.00000000090B0000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmp, Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.200713600.00000000058C3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.200713600.00000000058C3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.200713600.00000000058C3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204956780.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.204956780.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com8
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000003.206015716.00000000058C5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.240556918.0000000006AD2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474620728.00000000034A8000.00000004.00000001.sdmp, Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474892758.00000000034D5000.00000004.00000001.sdmp, Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.474224361.000000000345E000.00000004.00000001.sdmpString found in binary or memory: https://JdqRt699Fiq6FgvOvGJ.com
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.472330413.0000000003201000.00000004.00000001.sdmpString found in binary or memory: https://JdqRt699Fiq6FgvOvGJ.comh
                      Source: powershell.exe, 00000003.00000003.275250592.0000000007B12000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.298885774.0000000004ABD000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterP
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.465468823.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.472330413.0000000003201000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.230784050.0000000000C6B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9FC01524u002d0F23u002d436Au002d9123u002dDD5244CC6911u007d/u00380D85183u002d7FE3u002d412Eu002dAD47u002d6BA1935BCC72.csLarge array initialization: .cctor: array initializer size 11973
                      Source: 6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b9FC01524u002d0F23u002d436Au002d9123u002dDD5244CC6911u007d/u00380D85183u002d7FE3u002d412Eu002dAD47u002d6BA1935BCC72.csLarge array initialization: .cctor: array initializer size 11973
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 1_2_003FA90E1_2_003FA90E
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 1_2_003F63D51_2_003F63D5
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 1_2_00F4C2B01_2_00F4C2B0
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 1_2_00F499701_2_00F49970
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 5_2_0041A90E5_2_0041A90E
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 5_2_004163D55_2_004163D5
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00DB63D56_2_00DB63D5
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00DBA90E6_2_00DBA90E
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00FB40E86_2_00FB40E8
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00FBC8C86_2_00FBC8C8
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00FB49506_2_00FB4950
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00FB62686_2_00FB6268
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00FB12186_2_00FB1218
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_00FBBA886_2_00FBBA88
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_0131AB286_2_0131AB28
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_0131EB786_2_0131EB78
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_01311FE06_2_01311FE0
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_013126186_2_01312618
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_01315A686_2_01315A68
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_0131B1106_2_0131B110
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_013189986_2_01318998
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_013110496_2_01311049
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_0131EB646_2_0131EB64
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_0131123F6_2_0131123F
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_01310EC16_2_01310EC1
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_015C47A06_2_015C47A0
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_015C47506_2_015C4750
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_015C47306_2_015C4730
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_015C46F06_2_015C46F0
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_015C46B06_2_015C46B0
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_015CD8206_2_015CD820
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F716206_2_02F71620
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F747B06_2_02F747B0
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F7EC886_2_02F7EC88
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F73C286_2_02F73C28
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F79DE06_2_02F79DE0
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F7AD906_2_02F7AD90
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F78D706_2_02F78D70
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F7C0706_2_02F7C070
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F77D886_2_02F77D88
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeCode function: 6_2_02F71D706_2_02F71D70
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeBinary or memory string: OriginalFilename vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.243691204.000000000E500000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234355327.0000000002971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTCTnjSDlSaeRBmgBeVAEoZBDbHrjGLJGjjjEh.exe4 vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.242488360.0000000008760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.242488360.0000000008760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.230784050.0000000000C6B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.242647345.00000000089B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeBinary or memory string: OriginalFilename vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeBinary or memory string: OriginalFilename vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.468526780.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.468568075.0000000001300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.465468823.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameTCTnjSDlSaeRBmgBeVAEoZBDbHrjGLJGjjjEh.exe4 vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.468304082.0000000000FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000006.00000002.471452511.0000000002F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeBinary or memory string: OriginalFilenameHStringMarshaler.exeZ vs Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 6.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@2/1
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sepa transfer advice notice Swift EUR89570 20210610.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebiqguc4.oa0.ps1Jump to behavior
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, 00000001.00000002.234451839.00000000029B4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeVirustotal: Detection: 23%
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeMetadefender: Detection: 22%
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeReversingLabs: Detection: 39%
                      Source: unknownProcess created: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe 'C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe'
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess created: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess created: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess created: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess created: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exe C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jfpfZtpgHc\src\obj\x86\Debug\HStringMarshaler.pdb source: Sepa transfer advice notice Swift EUR89570 20210610.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Sepa transfer advice notice Swift EUR89570 20210610.exe, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.3f0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.3f0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.410000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.410000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.db0000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.Sepa transfer advice notice Swift EUR89570 20210610.exe.db0000.1.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.Sepa transfer advice notice Swift EUR89570 20210610.exe.db0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86647450776
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile created: \sepa transfer advice notice swift eur89570 20210610.exe
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile created: \sepa transfer advice notice swift eur89570 20210610.exe
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile created: \sepa transfer advice notice swift eur89570 20210610.exe
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile created: \sepa transfer advice notice swift eur89570 20210610.exeJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile created: \sepa transfer advice notice swift eur89570 20210610.exeJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeFile created: \sepa transfer advice notice swift eur89570 20210610.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\sepa transfer advice notice swift eur89570 20210610.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG142.tmpJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sepa transfer advice notice Swift EUR89570 20210610.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX