Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Sipari#U015f formu.exe

Overview

General Information

Sample Name:Sipari#U015f formu.exe
Analysis ID:528524
MD5:032bbfd4181a7cee029849db610a318b
SHA1:c99434f7f007f6f0f1317839cc7129db813d0750
SHA256:9ae8f73164a7e8159a942f5c304cb55560f975ca943f00c2ef4f6dd489ce0656
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Sipari#U015f formu.exe (PID: 5356 cmdline: "C:\Users\user\Desktop\Sipari#U015f formu.exe" MD5: 032BBFD4181A7CEE029849DB610A318B)
    • Sipari#U015f formu.exe (PID: 5956 cmdline: C:\Users\user\Desktop\Sipari#U015f formu.exe MD5: 032BBFD4181A7CEE029849DB610A318B)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "-640017301", "Chat URL": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Sipari#U015f formu.exe.2d971c8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              3.0.Sipari#U015f formu.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.0.Sipari#U015f formu.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  3.2.Sipari#U015f formu.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    3.2.Sipari#U015f formu.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "-640017301", "Chat URL": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocument"}
                      Source: Sipari#U015f formu.exe.5356.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendMessage"}
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: Sipari#U015f formu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Sipari#U015f formu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://nQZIDO.com
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocumentdocument-----
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658187478.0000000001228000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: Sipari#U015f formu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A85C24
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_02BC8250
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_02BCD2F8
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055FF5D0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F5AB0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F5AA0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00595C24
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF6078
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF5318
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF2E70
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFD060
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA902
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00DC5D98
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00DC1310
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EB4960
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EB4950
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EBDF60
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilename vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.660812533.0000000005DC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658187478.0000000001228000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.662053728.0000000006350000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilename vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917015212.0000000000798000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilenameHa.exe. vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile read: C:\Users\user\Desktop\Sipari#U015f formu.exe:Zone.IdentifierJump to behavior
                      Source: Sipari#U015f formu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe "C:\Users\user\Desktop\Sipari#U015f formu.exe"
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exe
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exe
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sipari#U015f formu.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/2@0/0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addbook.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addbook.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addcustomer.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addbook.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addcustomer.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addbook.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: A/Ha;component/views/addbook.xamlW/Ha;component/views/borrowfrombookview.xamlM/Ha;component/views/borrowingview.xamlG/Ha;component/views/changebook.xamlO/Ha;component/views/changecustomer.xamlK/Ha;component/views/customerview.xamlO/Ha;component/views/deletecustomer.xamlE/Ha;component/views/errorview.xamlI/Ha;component/views/smallextras.xamlI/Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Sipari#U015f formu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Sipari#U015f formu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Sipari#U015f formu.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Sipari#U015f formu.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Sipari#U015f formu.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.Sipari#U015f formu.exe.590000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A89361 push ds; retf
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A892F5 push ds; ret
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A89347 push ds; ret
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F56E0 push esp; iretd
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00599347 push ds; ret
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_005992F5 push ds; ret
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00599361 push ds; retf
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA35B pushfd ; iretd
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA359 pushfd ; iretd
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA354 pushfd ; iretd
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA360 pushfd ; iretd
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF4778 push 00000041h; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88235938246
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.2d971c8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.2e25574.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -240000s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3240Thread sleep count: 591 > 30
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239843s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3240Thread sleep count: 2085 > 30
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239728s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5404Thread sleep time: -30884s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239624s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239515s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239405s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239296s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239187s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239077s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238968s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238827s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238718s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238606s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238390s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -237343s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236750s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236390s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236249s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 1296Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 7084Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5408Thread sleep count: 865 > 30
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5408Thread sleep count: 8996 > 30
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239843
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239728
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239624
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239515
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239405
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239296
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239187
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239077
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238968
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238827
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238718
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238606
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238390
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 237343
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236750
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236390
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236249
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 591
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 2085
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 865
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 8996
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239843
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239728
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 30884
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239624
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239515
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239405
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239296
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239187
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239077
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238968
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238827
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238718
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238606
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238390
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 237343
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236750
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236390
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236249
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFEDC8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Users\user\Desktop\Sipari#U015f formu.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Users\user\Desktop\Sipari#U015f formu.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1Input Capture111Process Discovery2Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion131NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsSystem Information Discovery114SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.Sipari#U015f formu.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.Sipari#U015f formu.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://nQZIDO.com0%Avira URL Cloudsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://api.ipify.org%GETMozilla/5.0Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://DynDns.comDynDNSSipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocumentdocument-----Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpfalse
                          		high
                          http://nQZIDO.comSipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		low
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpfalse
                            		high

                            Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:528524
                            Start date:25.11.2021
                            Start time:13:18:14
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 59s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:Sipari#U015f formu.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@3/2@0/0
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 92.122.145.220
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            13:19:03API Interceptor835x Sleep call for process: Sipari#U015f formu.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sipari#U015f formu.exe.log
                            Process:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):2239
                            Entropy (8bit):5.354287817410997
                            Encrypted:false
                            SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                            MD5:913D1EEA179415C6D08FB255AE42B99D
                            SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                            SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                            SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                            C:\Windows\System32\drivers\etc\hosts
                            Process:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):835
                            Entropy (8bit):4.694294591169137
                            Encrypted:false
                            SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                            MD5:6EB47C1CF858E25486E42440074917F2
                            SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                            SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                            SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.871616213599999
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Sipari#U015f formu.exe
                            File size:500736
                            MD5:032bbfd4181a7cee029849db610a318b
                            SHA1:c99434f7f007f6f0f1317839cc7129db813d0750
                            SHA256:9ae8f73164a7e8159a942f5c304cb55560f975ca943f00c2ef4f6dd489ce0656
                            SHA512:aa504d9d1235478c61bb0545cbef88e03bf2ab0a852ddbdae1c65ba79511bf44ac43c023bcf5cf15c80aec4adf90a452a3d611cc32a6107c60f5c70fc13bf8e1
                            SSDEEP:12288:xe1O0GEJPlAFHRv2wAtHcrhCaMI7oPLH8ixBFm:xkO0GkPlQRv2lt8rdVMPLH8i1
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.a..............0.............^.... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00828e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x47b95e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x619F43BA [Thu Nov 25 08:05:14 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [ebp+0800000Eh], ch
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7b90c0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x5ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x799740x79a00False0.897995889003data7.88235938246IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0x7c0000x5ac0x600False0.425130208333data4.10522833329IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x7e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0x7c0900x31cdata
                            RT_MANIFEST0x7c3bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightCopyright Rogers Peet
                            Assembly Version8.0.6.0
                            InternalNameHa.exe
                            FileVersion5.6.0.0
                            CompanyNameRogers Peet
                            LegalTrademarks
                            Comments
                            ProductNameBiblan
                            ProductVersion5.6.0.0
                            FileDescriptionBiblan
                            OriginalFilenameHa.exe

                            Network Behavior

                            No network behavior found

                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: Sipari#U015f formu.exe PID: 5356 Parent PID: 1000

                            General

                            Start time:13:19:02
                            Start date:25/11/2021
                            Path:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Sipari#U015f formu.exe"
                            Imagebase:0xa80000
                            File size:500736 bytes
                            MD5 hash:032BBFD4181A7CEE029849DB610A318B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Analysis Process: Sipari#U015f formu.exe PID: 5956 Parent PID: 5356

                            General

                            Start time:13:19:04
                            Start date:25/11/2021
                            Path:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            Imagebase:0x590000
                            File size:500736 bytes
                            MD5 hash:032BBFD4181A7CEE029849DB610A318B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Reset < >