Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6P61y0u6Nn

Overview

General Information

Sample Name:6P61y0u6Nn (renamed file extension from none to exe)
Analysis ID:483898
MD5:83f51a31a3b9ed0a4087aca907befdeb
SHA1:f3805488954d7bdb7b1d83ef77968ae59170a1e9
SHA256:d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e
Tags:AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • 6P61y0u6Nn.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\6P61y0u6Nn.exe' MD5: 83F51A31A3B9ED0A4087ACA907BEFDEB)
    • AdvancedRun.exe (PID: 6492 cmdline: 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 244 cmdline: 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /SpecialRun 4101d8 6492 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 5576 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5356 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 724 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6692 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6824 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 7ADA33B7.exe (PID: 6804 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' MD5: 83F51A31A3B9ED0A4087ACA907BEFDEB)
      • AdvancedRun.exe (PID: 4740 cmdline: 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 5572 cmdline: 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /SpecialRun 4101d8 4740 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 6776 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6472 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6608 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6460 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 2248 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • 7ADA33B7.exe (PID: 2376 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe MD5: 83F51A31A3B9ED0A4087ACA907BEFDEB)
    • powershell.exe (PID: 4688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6376 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5244 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 6P61y0u6Nn.exe (PID: 5848 cmdline: C:\Users\user\Desktop\6P61y0u6Nn.exe MD5: 83F51A31A3B9ED0A4087ACA907BEFDEB)
  • svchost.exe (PID: 6440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5584 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • 7ADA33B7.exe (PID: 4868 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' MD5: 83F51A31A3B9ED0A4087ACA907BEFDEB)
    • AdvancedRun.exe (PID: 6860 cmdline: 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5104 cmdline: 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /SpecialRun 4101d8 6860 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 5248 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3200 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6832 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6676 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6388 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5932 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5892 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6468 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6804 -ip 6804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6308 cmdline: 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' MD5: 83F51A31A3B9ED0A4087ACA907BEFDEB)
    • AdvancedRun.exe (PID: 7148 cmdline: 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5140 cmdline: 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /SpecialRun 4101d8 7148 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 4672 cmdline: 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' MD5: 83F51A31A3B9ED0A4087ACA907BEFDEB)
    • AdvancedRun.exe (PID: 5156 cmdline: 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "mailjege@yandex.com", "Password": "recovery111", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000000.529291545.00000000038E7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.6P61y0u6Nn.exe.3717f98.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.0.6P61y0u6Nn.exe.3717f98.6.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.0.6P61y0u6Nn.exe.3737fb8.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.0.6P61y0u6Nn.exe.3737fb8.7.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.0.6P61y0u6Nn.exe.3737fb8.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\6P61y0u6Nn.exe' , ParentImage: C:\Users\user\Desktop\6P61y0u6Nn.exe, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force, ProcessId: 5576
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\6P61y0u6Nn.exe' , ParentImage: C:\Users\user\Desktop\6P61y0u6Nn.exe, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force, ProcessId: 5576
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762200989915499.5576.DefaultAppDomain.powershell

                      Malware Analysis System Evasion:

                      barindex
                      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\6P61y0u6Nn.exe' , ParentImage: C:\Users\user\Desktop\6P61y0u6Nn.exe, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force, ProcessId: 724

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.6P61y0u6Nn.exe.3737fb8.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mailjege@yandex.com", "Password": "recovery111", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 6P61y0u6Nn.exeVirustotal: Detection: 57%Perma Link
                      Source: 6P61y0u6Nn.exeMetadefender: Detection: 37%Perma Link
                      Source: 6P61y0u6Nn.exeReversingLabs: Detection: 78%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeMetadefender: Detection: 37%Perma Link
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeReversingLabs: Detection: 78%
                      Machine Learning detection for sampleShow sources
                      Source: 6P61y0u6Nn.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeJoe Sandbox ML: detected

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.38e7e30.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.4d20000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.3867e10.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.3867e10.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.4d20000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.38e7e30.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.3807dd0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.6P61y0u6Nn.exe.3827df0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.529291545.00000000038E7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.532733864.0000000004D20000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR
                      Source: 6P61y0u6Nn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeDirectory created: C:\Program Files\Common Files\System\E59A6148Jump to behavior
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeDirectory created: C:\Program Files\Common Files\System\E59A6148\svchost.exeJump to behavior
                      Source: 6P61y0u6Nn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.391449311.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
                      Source: Binary string: jC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
                      Source: Binary string: 7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
                      Source: Binary string: kpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbj% source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbxc.MMbisualB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
                      Source: Binary string: w.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: _ .pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
                      Source: Binary string: jpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp
                      Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
                      Source: Binary string: } .pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbF424491E3931}\InprocServer32 source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
                      Source: Binary string: wsymbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb9 source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487711905.00000000008B1000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbH source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
                      Source: Binary string: 6P61y0u6Nn.PDB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdbxj source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbW source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\6P61y0u6Nn.PDBw source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbst source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeFile opened: C:\Users\user\AppData\
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://regexlib.com/
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://www.davidemauri.it/
                      Source: AdvancedRun.exe, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://www.nirsoft.net/
                      Source: 6P61y0u6Nn.exeString found in binary or memory: http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
                      Source: 6P61y0u6Nn.exeString found in binary or memory: https://sectigo.com/CPS0
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: https://sectigo.com/CPS0C
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: https://sectigo.com/CPS0D
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs

                      System Summary:

                      barindex
                      Source: 6P61y0u6Nn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.488544878.0000000000B30000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs 6P61y0u6Nn.exe
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.483413213.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs 6P61y0u6Nn.exe
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs 6P61y0u6Nn.exe
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.496559567.000000000289B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametEnxeoGUbsIbZIOzasmmdEfR.exe4 vs 6P61y0u6Nn.exe
                      Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs 6P61y0u6Nn.exe
                      Source: 6P61y0u6Nn.exe, 0000001E.00000000.476734025.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe
                      Source: 6P61y0u6Nn.exeBinary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6P61y0u6Nn.exeVirustotal: Detection: 57%
                      Source: 6P61y0u6Nn.exeMetadefender: Detection: 37%
                      Source: 6P61y0u6Nn.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\Desktop\6P61y0u6Nn.exeFile read: C:\Users\user\Desktop\6P61y0u6Nn.exeJump to behavior
                      Source: 6P61y0u6Nn.exeStati