Windows Analysis Report Escanear copia001.pdf.r13.exe

Overview

General Information

Sample Name: Escanear copia001.pdf.r13.exe
Analysis ID: 528678
MD5: 14de1a4fd7bd475b6456dd4d5482be8b
SHA1: 1b0b6db87e6cf3b952ec840669c52a4f873cf3be
SHA256: 1181955b92daca60677ddd93afcb2c10a0d2e4d77f8a67ced5dfa3dfaaa27594
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.Escanear copia001.pdf.r13.exe.42c1e08.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ugo@bhgautopartes.com", "Password": "icui4cu2@@", "Host": "mail.bhgautopartes.com"}
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 2.2.Escanear copia001.pdf.r13.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Escanear copia001.pdf.r13.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Escanear copia001.pdf.r13.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612456843.00000000032C1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612456843.00000000032C1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354610313.0000000003191000.00000004.00000001.sdmp, Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612456843.00000000032C1000.00000004.00000001.sdmp String found in binary or memory: http://uArhJl.com
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.355155852.000000000419D000.00000004.00000001.sdmp, Escanear copia001.pdf.r13.exe, 00000002.00000000.352642161.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612456843.00000000032C1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Escanear copia001.pdf.r13.exe
.NET source code contains very large array initializations
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 2.2.Escanear copia001.pdf.r13.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Uses 32bit PE files
Source: Escanear copia001.pdf.r13.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 1_2_02F58250 1_2_02F58250
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 1_2_02F5D2F8 1_2_02F5D2F8
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_01871438 2_2_01871438
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_057146A0 2_2_057146A0
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_0571359C 2_2_0571359C
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_057145F0 2_2_057145F0
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_057145B0 2_2_057145B0
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_05714650 2_2_05714650
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_05714630 2_2_05714630
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_05715390 2_2_05715390
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_067A0040 2_2_067A0040
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_067A4D88 2_2_067A4D88
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_067A54C9 2_2_067A54C9
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_067A55C8 2_2_067A55C8
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_067AEC30 2_2_067AEC30
Sample file is different than original file name gathered from version info
Source: Escanear copia001.pdf.r13.exe Binary or memory string: OriginalFilename vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354610313.0000000003191000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354610313.0000000003191000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.358148021.0000000006370000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.355155852.000000000419D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.355155852.000000000419D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.357830466.0000000005EC0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe Binary or memory string: OriginalFilename vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000002.00000000.352686297.0000000000438000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.610837119.0000000001358000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe Binary or memory string: OriginalFilenameAssemblyRequestEnt.exe. vs Escanear copia001.pdf.r13.exe
Source: Escanear copia001.pdf.r13.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe File read: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe:Zone.Identifier Jump to behavior
Source: Escanear copia001.pdf.r13.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe "C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe"
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process created: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process created: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Escanear copia001.pdf.r13.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: /AssemblyRequestEnt;component/views/addbook.xaml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: views/addbook.baml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: views/addcustomer.baml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: /AssemblyRequestEnt;component/views/addcustomer.xaml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: /AssemblyRequestEnt;component/views/addbook.xaml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: views/addcustomer.baml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: views/addbook.baml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: /AssemblyRequestEnt;component/views/addcustomer.xaml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: a/AssemblyRequestEnt;component/views/addbook.xamlw/AssemblyRequestEnt;component/views/borrowfrombookview.xamlm/AssemblyRequestEnt;component/views/borrowingview.xamlg/AssemblyRequestEnt;component/views/changebook.xamlo/AssemblyRequestEnt;component/views/changecustomer.xamlk/AssemblyRequestEnt;component/views/customerview.xamlo/AssemblyRequestEnt;component/views/deletecustomer.xamle/AssemblyRequestEnt;component/views/errorview.xamli/AssemblyRequestEnt;component/views/smallextras.xamli/AssemblyRequestEnt;component/views/addcustomer.xaml
Source: Escanear copia001.pdf.r13.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.Escanear copia001.pdf.r13.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Escanear copia001.pdf.r13.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Escanear copia001.pdf.r13.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Escanear copia001.pdf.r13.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Escanear copia001.pdf.r13.exe.be0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Escanear copia001.pdf.r13.exe.be0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.11.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Escanear copia001.pdf.r13.exe.f40000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Escanear copia001.pdf.r13.exe.f40000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 1_2_00BE92F5 push ds; ret 1_2_00BE9340
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 1_2_00BE9361 push ds; retf 1_2_00BE9364
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 1_2_00BE9347 push ds; ret 1_2_00BE934C
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_00F492F5 push ds; ret 2_2_00F49340
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_00F49361 push ds; retf 2_2_00F49364
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_00F49347 push ds; ret 2_2_00F4934C
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_067A3EFF push es; ret 2_2_067A3F00
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Code function: 2_2_067A3F8F push es; ret 2_2_067A3F90
Source: initial sample Static PE information: section name: .text entropy: 7.8799771332
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.31f8fa4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.328b784.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.354610313.0000000003191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Escanear copia001.pdf.r13.exe PID: 6516, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354610313.0000000003191000.00000004.00000001.sdmp, Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354610313.0000000003191000.00000004.00000001.sdmp, Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3424 Thread sleep count: 742 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3424 Thread sleep count: 1421 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 6540 Thread sleep time: -37205s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239655s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239539s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239420s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239311s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239174s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -239046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -238921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -238796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -238687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -238578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -238468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -238140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -237250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -236547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -236405s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 3576 Thread sleep time: -236296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 6496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 7152 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 5788 Thread sleep count: 1063 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe TID: 5788 Thread sleep count: 8805 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239890 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239780 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239655 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239539 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239420 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239311 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239174 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239046 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238921 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238796 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238687 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238578 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238468 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238140 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 236547 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 236405 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 236296 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Window / User API: threadDelayed 742 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Window / User API: threadDelayed 1421 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Window / User API: threadDelayed 1063 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Window / User API: threadDelayed 8805 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239890 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239780 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 37205 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239655 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239539 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239420 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239311 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239174 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 239046 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238921 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238796 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238687 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238578 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238468 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 238140 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 236547 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 236405 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 236296 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Escanear copia001.pdf.r13.exe, 00000001.00000002.354744696.000000000325B000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Process created: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Jump to behavior
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612158631.0000000001C20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612158631.0000000001C20000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612158631.0000000001C20000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: Escanear copia001.pdf.r13.exe, 00000002.00000002.612158631.0000000001C20000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.Escanear copia001.pdf.r13.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.42c1e08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.428c5e8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.42c1e08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.428c5e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.352642161.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.610196279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.352178048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.351142035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.351621242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.355155852.000000000419D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.612456843.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Escanear copia001.pdf.r13.exe PID: 6516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Escanear copia001.pdf.r13.exe PID: 5868, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Escanear copia001.pdf.r13.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.612456843.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Escanear copia001.pdf.r13.exe PID: 5868, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.Escanear copia001.pdf.r13.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.42c1e08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.428c5e8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Escanear copia001.pdf.r13.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.42c1e08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Escanear copia001.pdf.r13.exe.428c5e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.352642161.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.610196279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.352178048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.351142035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.351621242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.355155852.000000000419D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.612456843.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Escanear copia001.pdf.r13.exe PID: 6516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Escanear copia001.pdf.r13.exe PID: 5868, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528678 Sample: Escanear copia001.pdf.r13.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 11 Found malware configuration 2->11 13 Yara detected AgentTesla 2->13 15 Yara detected AntiVM3 2->15 17 6 other signatures 2->17 6 Escanear copia001.pdf.r13.exe 3 2->6         started        process3 process4 8 Escanear copia001.pdf.r13.exe 2 6->8         started        signatures5 19 Tries to steal Mail credentials (via file / registry access) 8->19 21 Tries to harvest and steal browser information (history, passwords, etc) 8->21
No contacted IP infos