Windows Analysis Report Payment_Swift,png.exe

Overview

General Information

Sample Name: Payment_Swift,png.exe
Analysis ID: 502638
MD5: f589816b35976438b88a621266d7d071
SHA1: 1a845d22e5378b8771536806bb312f6ded7b1046
SHA256: e4c466fd6fb96b2ffc5682a75154df8501c8edb5234b14349ba5c01afc717b12
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Moves itself to temp directory
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.Payment_Swift,png.exe.400000.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@alishair.rs", "Password": "qR8JmTXtlKf0", "Host": "mail.alishair.rs"}
Multi AV Scanner detection for submitted file
Source: Payment_Swift,png.exe Virustotal: Detection: 29% Perma Link
Machine Learning detection for sample
Source: Payment_Swift,png.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.Payment_Swift,png.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 1.1.Payment_Swift,png.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.Payment_Swift,png.exe.4990000.5.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Unpacked PE file: 1.2.Payment_Swift,png.exe.400000.1.unpack
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Unpacked PE file: 1.2.Payment_Swift,png.exe.4990000.5.unpack
Uses 32bit PE files
Source: Payment_Swift,png.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: Payment_Swift,png.exe, 00000000.00000003.656745520.000000000F040000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment_Swift,png.exe, 00000000.00000003.656745520.000000000F040000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49851 -> 78.46.56.160:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49851 -> 78.46.56.160:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49851 -> 78.46.56.160:587
Source: Payment_Swift,png.exe, 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Payment_Swift,png.exe, 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Payment_Swift,png.exe, 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp String found in binary or memory: http://RoaIUm.com
Source: Payment_Swift,png.exe, 00000001.00000002.918750136.00000000027C8000.00000004.00000001.sdmp String found in binary or memory: http://alishair.rs
Source: Payment_Swift,png.exe, 00000001.00000002.918705683.000000000277C000.00000004.00000001.sdmp, Payment_Swift,png.exe, 00000001.00000002.918766104.00000000027D5000.00000004.00000001.sdmp, Payment_Swift,png.exe, 00000001.00000003.868543412.00000000005D4000.00000004.00000001.sdmp String found in binary or memory: http://kTKI1CRL4jwK4qEe.org
Source: Payment_Swift,png.exe, 00000001.00000002.918750136.00000000027C8000.00000004.00000001.sdmp String found in binary or memory: http://mail.alishair.rs
Source: Payment_Swift,png.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Payment_Swift,png.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Payment_Swift,png.exe, 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: Payment_Swift,png.exe, 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Payment_Swift,png.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Payment_Swift,png.exe, 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: mail.alishair.rs

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment_Swift,png.exe
.NET source code contains very large array initializations
Source: 1.2.Payment_Swift,png.exe.4990000.5.unpack, u003cPrivateImplementationDetailsu003eu007bECFDFD74u002d3329u002d4626u002dA3C8u002dE4302F1A4829u007d/D3F97F87u002d022Eu002d4672u002dAC2Eu002d7174979C741F.cs Large array initialization: .cctor: array initializer size 11970
Executable has a suspicious name (potential lure to open the executable)
Source: Payment_Swift,png.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Payment_Swift,png.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B6A33 0_2_729B6A33
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B6A24 0_2_729B6A24
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0040A2A5 1_2_0040A2A5
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0057EA18 1_2_0057EA18
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0057D358 1_2_0057D358
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00572760 1_2_00572760
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00571FE0 1_2_00571FE0
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0094BD28 1_2_0094BD28
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00946E48 1_2_00946E48
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0095C1A8 1_2_0095C1A8
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00954AE8 1_2_00954AE8
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00956DB8 1_2_00956DB8
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00951620 1_2_00951620
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00953F20 1_2_00953F20
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0095F8B8 1_2_0095F8B8
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_009594D0 1_2_009594D0
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00951F98 1_2_00951F98
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_022747A0 1_2_022747A0
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_022746B0 1_2_022746B0
Sample file is different than original file name gathered from version info
Source: Payment_Swift,png.exe, 00000000.00000003.652988324.000000000F2EF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Payment_Swift,png.exe
Source: Payment_Swift,png.exe, 00000000.00000002.659733412.000000000EFF0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamedLRvAUZAIMwHAIjyyqmOVnMDGEqKXZyRqf.exe4 vs Payment_Swift,png.exe
Source: Payment_Swift,png.exe Binary or memory string: OriginalFilename vs Payment_Swift,png.exe
Source: Payment_Swift,png.exe, 00000001.00000002.919115676.0000000004992000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamedLRvAUZAIMwHAIjyyqmOVnMDGEqKXZyRqf.exe4 vs Payment_Swift,png.exe
Source: Payment_Swift,png.exe, 00000001.00000002.917122493.0000000000199000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment_Swift,png.exe
Source: Payment_Swift,png.exe Virustotal: Detection: 29%
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File read: C:\Users\user\Desktop\Payment_Swift,png.exe Jump to behavior
Source: Payment_Swift,png.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment_Swift,png.exe 'C:\Users\user\Desktop\Payment_Swift,png.exe'
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process created: C:\Users\user\Desktop\Payment_Swift,png.exe 'C:\Users\user\Desktop\Payment_Swift,png.exe'
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process created: C:\Users\user\Desktop\Payment_Swift,png.exe 'C:\Users\user\Desktop\Payment_Swift,png.exe' Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment_Swift,png.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File created: C:\Users\user\AppData\Local\Temp\nspB567.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 1_2_00401489
Source: 1.2.Payment_Swift,png.exe.4990000.5.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Payment_Swift,png.exe.4990000.5.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: wntdll.pdbUGP source: Payment_Swift,png.exe, 00000000.00000003.656745520.000000000F040000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment_Swift,png.exe, 00000000.00000003.656745520.000000000F040000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Unpacked PE file: 1.2.Payment_Swift,png.exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Unpacked PE file: 1.2.Payment_Swift,png.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Unpacked PE file: 1.2.Payment_Swift,png.exe.4990000.5.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B1080 push eax; ret 0_2_729B10AE
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00401F16 push ecx; ret 1_2_00401F29
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00954AE8 push edx; retf 1_2_00955311
PE file contains an invalid checksum
Source: qxtkzfqfq.dll.0.dr Static PE information: real checksum: 0x10bc8 should be: 0x15201
Source: Payment_Swift,png.exe Static PE information: real checksum: 0x0 should be: 0x4ea22

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File created: C:\Users\user\AppData\Local\Temp\nskB597.tmp\qxtkzfqfq.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself to temp directory
Source: c:\users\user\desktop\payment_swift,png.exe File moved: C:\Users\user\AppData\Local\Temp\tmpG130.tmp Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment_Swift,png.exe TID: 6812 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe TID: 7004 Thread sleep count: 369 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe TID: 7004 Thread sleep count: 9485 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Window / User API: threadDelayed 369 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Window / User API: threadDelayed 9485 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment_Swift,png.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Thread delayed: delay time: 922337203685477 Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_004067FE GetProcessHeap, 1_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B6402 mov eax, dword ptr fs:[00000030h] 0_2_729B6402
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B66C7 mov eax, dword ptr fs:[00000030h] 0_2_729B66C7
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B6616 mov eax, dword ptr fs:[00000030h] 0_2_729B6616
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B6706 mov eax, dword ptr fs:[00000030h] 0_2_729B6706
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_729B6744 mov eax, dword ptr fs:[00000030h] 0_2_729B6744
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h] 1_2_004035F1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0057DEE8 LdrInitializeThunk, 1_2_0057DEE8
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00401E1D SetUnhandledExceptionFilter, 1_2_00401E1D
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401C88
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401F30

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Memory written: C:\Users\user\Desktop\Payment_Swift,png.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Process created: C:\Users\user\Desktop\Payment_Swift,png.exe 'C:\Users\user\Desktop\Payment_Swift,png.exe' Jump to behavior
Source: Payment_Swift,png.exe, 00000001.00000002.918027987.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Payment_Swift,png.exe, 00000001.00000002.918027987.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Payment_Swift,png.exe, 00000001.00000002.918027987.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Payment_Swift,png.exe, 00000001.00000002.918027987.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_0040208D cpuid 1_2_0040208D
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00401B74
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 1.1.Payment_Swift,png.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.f001458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.4990000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.4950000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.eff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Payment_Swift,png.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.4950000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.eff0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.725f28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Payment_Swift,png.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.725f28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.f001458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.3475530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Payment_Swift,png.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.3475530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.919115676.0000000004992000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.919064429.0000000004950000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.657206121.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.917739877.0000000000708000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.918967419.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.659733412.000000000EFF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.917198466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Swift,png.exe PID: 5908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment_Swift,png.exe PID: 5944, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Payment_Swift,png.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Swift,png.exe PID: 5944, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 1.1.Payment_Swift,png.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.f001458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.4990000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.4950000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.eff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Payment_Swift,png.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.4950000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.eff0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.725f28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Payment_Swift,png.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.725f28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Swift,png.exe.f001458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.3475530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Payment_Swift,png.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.3475530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment_Swift,png.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.919115676.0000000004992000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.919064429.0000000004950000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.657206121.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.917739877.0000000000708000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.918967419.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.659733412.000000000EFF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.917198466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.918296009.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Swift,png.exe PID: 5908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment_Swift,png.exe PID: 5944, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502638 Sample: Payment_Swift,png.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 20 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->20 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 5 other signatures 2->26 6 Payment_Swift,png.exe 17 2->6         started        process3 file4 14 C:\Users\user\AppData\Local\...\qxtkzfqfq.dll, PE32 6->14 dropped 28 Detected unpacking (changes PE section rights) 6->28 30 Detected unpacking (creates a PE file in dynamic memory) 6->30 32 Detected unpacking (overwrites its own PE header) 6->32 34 3 other signatures 6->34 10 Payment_Swift,png.exe 2 6->10         started        signatures5 process6 dnsIp7 16 alishair.rs 78.46.56.160, 49851, 587 HETZNER-ASDE Germany 10->16 18 mail.alishair.rs 10->18 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->36 38 Moves itself to temp directory 10->38 40 Tries to steal Mail credentials (via file access) 10->40 42 2 other signatures 10->42 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
78.46.56.160
 alishair.rs Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
alishair.rs 78.46.56.160 true
mail.alishair.rs unknown unknown