Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTE 7129.bat

Overview

General Information

Sample Name:QUOTE 7129.bat (renamed file extension from bat to exe)
Analysis ID:502636
MD5:c5cc1718876b11652a056bfb7c819521
SHA1:37beee9cd4da05c76e9e79a98e824d7f103bf986
SHA256:bd6fb4af1ac12b02fdfa5df9ce0094710fab6415f3154cdcc6c1e5d8b7f351a1
Tags:AgentTeslabatexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • QUOTE 7129.exe (PID: 6056 cmdline: 'C:\Users\user\Desktop\QUOTE 7129.exe' MD5: C5CC1718876B11652A056BFB7C819521)
    • QUOTE 7129.exe (PID: 5876 cmdline: C:\Users\user\Desktop\QUOTE 7129.exe MD5: C5CC1718876B11652A056BFB7C819521)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "anams@rapidmail.ec", "Password": "icui4cu2@@", "Host": "mail.rapidmail.ec"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTE 7129.exe.3c15220.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.QUOTE 7129.exe.3c15220.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.QUOTE 7129.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.QUOTE 7129.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.QUOTE 7129.exe.3c15220.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.QUOTE 7129.exe.3c15220.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anams@rapidmail.ec", "Password": "icui4cu2@@", "Host": "mail.rapidmail.ec"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: QUOTE 7129.exeVirustotal: Detection: 42%Perma Link
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: QUOTE 7129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: QUOTE 7129.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://RSNcbZ.com
                      Source: QUOTE 7129.exeString found in binary or memory: http://gcr.github.com/super-sudoku-for-windows/
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: QUOTE 7129.exe, 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, QUOTE 7129.exe, 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b041C5864u002d8BC5u002d4FD4u002d8275u002d9B3B73CB91FAu007d/FA9420DDu002d9003u002d4CC1u002d9A6Eu002dDA16936AF8BD.csLarge array initialization: .cctor: array initializer size 11777
                      Source: QUOTE 7129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_007A4FE40_2_007A4FE4
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCC1240_2_00FCC124
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCE5700_2_00FCE570
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCE5600_2_00FCE560
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F800400_2_05F80040
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F860100_2_05F86010
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F860000_2_05F86000
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F800060_2_05F80006
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F803460_2_05F80346
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_009E4FE41_2_009E4FE4
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BCAB701_2_00BCAB70
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC2D501_2_00BC2D50
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC26181_2_00BC2618
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC1FE11_2_00BC1FE1
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BCCA681_2_00BCCA68
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC9DB81_2_00BC9DB8
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BD46601_2_00BD4660
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BDA8E81_2_00BDA8E8
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BD5D801_2_00BD5D80
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_014246A01_2_014246A0
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_014246901_2_01424690
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_0142DA001_2_0142DA00
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BCD2B81_2_00BCD2B8
                      Source: QUOTE 7129.exeBinary or memory string: OriginalFilename vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000000.00000002.246572300.0000000005E80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs QUOTE 7129.exe
                      Source: QUOTE 7129.exeBinary or memory string: OriginalFilename vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000001.00000002.506867447.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000001.00000002.509760538.00000000012AA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000001.00000002.508685597.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTE 7129.exe
                      Source: QUOTE 7129.exeBinary or memory string: OriginalFilenameContinuationResultTaskFromTa.exe8 vs QUOTE 7129.exe
                      Source: QUOTE 7129.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: QUOTE 7129.exeVirustotal: Detection: 42%
                      Source: QUOTE 7129.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\QUOTE 7129.exe 'C:\Users\user\Desktop\QUOTE 7129.exe'
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exe
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exeJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTE 7129.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeMutant created: \Sessions\1\BaseNamedObjects\ZypyrYXSztKSWDInUrsOgsZc
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: QUOTE 7129.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: QUOTE 7129.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: QUOTE 7129.exe, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.QUOTE 7129.exe.7a0000.0.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.QUOTE 7129.exe.7a0000.0.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 1.0.QUOTE 7129.exe.9e0000.0.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 1.2.QUOTE 7129.exe.9e0000.1.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_007A800D push es; ret 0_2_007A8018
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCF930 pushad ; iretd 0_2_00FCF931
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84513 push ss; ret 0_2_05F84516
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84126 push ss; ret 0_2_05F84127
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F8505D push E9FFFFFEh; retf 0_2_05F85062
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F83FD2 push FFFFFFF1h; ret 0_2_05F83FD4
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84F42 pushfd ; iretd 0_2_05F84F43
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F83F36 push es; ret 0_2_05F83F37
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84ED0 pushad ; iretd 0_2_05F84ED1
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F85BA0 push 28054CD0h; iretd 0_2_05F85BAD
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_009E800D push es; ret 1_2_009E8018
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC7A37 push edi; retn 0000h1_2_00BC7A39
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC8326 push ecx; retf 1_2_00BC832C
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC8352 push ecx; retf 1_2_00BC832C
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BD05C8 push 3C00BBCBh; retf 1_2_00BD05CD
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.92204747437
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.2bb1170.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.243793993.0000000002C33000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 3528Thread sleep time: -44412s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 4508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 1396Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 5936Thread sleep count: 457 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 5936Thread sleep count: 9400 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWindow / User API: threadDelayed 457Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWindow / User API: threadDelayed 9400Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 44412Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeMemory written: C:\Users\user\Desktop\QUOTE 7129.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exeJump to behavior
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Users\user\Desktop\QUOTE 7129.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Users\user\Desktop\QUOTE 7129.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.QUOTE 7129.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.QUOTE 7129.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping1Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.