Windows Analysis Report Pago Transferencia.pdf.exe

Overview

General Information

Sample Name: Pago Transferencia.pdf.exe
Analysis ID: 528709
MD5: 02bf0fc6d6fdc5aa692f136da966b62c
SHA1: 7ab36a1ea547408e9254428887b3a41a83e2c849
SHA256: 49121cf42d9ee0f820e76416c3bd0ea7f69036fde442ca8ad2a69737c50ac97e
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.Pago Transferencia.pdf.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ugo@bhgautopartes.com", "Password": "icui4cu2@@", "Host": "mail.bhgautopartes.com"}
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.Pago Transferencia.pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.Pago Transferencia.pdf.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.Pago Transferencia.pdf.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.Pago Transferencia.pdf.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.Pago Transferencia.pdf.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.Pago Transferencia.pdf.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Pago Transferencia.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Pago Transferencia.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Pago Transferencia.pdf.exe, 00000003.00000002.508136463.0000000002981000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Pago Transferencia.pdf.exe, 00000003.00000002.508136463.0000000002981000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250733467.0000000002C01000.00000004.00000001.sdmp, Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Pago Transferencia.pdf.exe, 00000003.00000002.508136463.0000000002981000.00000004.00000001.sdmp String found in binary or memory: http://uArhJl.com
Source: Pago Transferencia.pdf.exe, 00000001.00000002.251510094.0000000003C0D000.00000004.00000001.sdmp, Pago Transferencia.pdf.exe, 00000003.00000000.248078811.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Pago Transferencia.pdf.exe, 00000003.00000002.508136463.0000000002981000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Pago Transferencia.pdf.exe
.NET source code contains very large array initializations
Source: 3.2.Pago Transferencia.pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 3.0.Pago Transferencia.pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 3.0.Pago Transferencia.pdf.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 3.0.Pago Transferencia.pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Source: 3.0.Pago Transferencia.pdf.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.cs Large array initialization: .cctor: array initializer size 11787
Uses 32bit PE files
Source: Pago Transferencia.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 1_2_007A6BFF 1_2_007A6BFF
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 1_2_007A5C24 1_2_007A5C24
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00606BFF 3_2_00606BFF
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00605C24 3_2_00605C24
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_007918A8 3_2_007918A8
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_007912D8 3_2_007912D8
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_0079A340 3_2_0079A340
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00795310 3_2_00795310
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00792CF0 3_2_00792CF0
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00797750 3_2_00797750
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00793F38 3_2_00793F38
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00790040 3_2_00790040
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00F2077C 3_2_00F2077C
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00F2D868 3_2_00F2D868
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00F24B68 3_2_00F24B68
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00F254D8 3_2_00F254D8
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00F2EC30 3_2_00F2EC30
Sample file is different than original file name gathered from version info
Source: Pago Transferencia.pdf.exe Binary or memory string: OriginalFilename vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000001.00000002.253625240.0000000006080000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250733467.0000000002C01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250733467.0000000002C01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000001.00000002.251510094.0000000003C0D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000001.00000002.251510094.0000000003C0D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000001.00000002.253100415.0000000005BF0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe Binary or memory string: OriginalFilename vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000003.00000000.248740658.0000000000438000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe, 00000003.00000002.506211522.0000000000AF8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Pago Transferencia.pdf.exe
Source: Pago Transferencia.pdf.exe Binary or memory string: OriginalFilenameIteratorOfTToIteratorAdapt.exe. vs Pago Transferencia.pdf.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: Pago Transferencia.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe File read: C:\Users\user\Desktop\Pago Transferencia.pdf.exe:Zone.Identifier Jump to behavior
Source: Pago Transferencia.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Pago Transferencia.pdf.exe "C:\Users\user\Desktop\Pago Transferencia.pdf.exe"
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process created: C:\Users\user\Desktop\Pago Transferencia.pdf.exe C:\Users\user\Desktop\Pago Transferencia.pdf.exe
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process created: C:\Users\user\Desktop\Pago Transferencia.pdf.exe C:\Users\user\Desktop\Pago Transferencia.pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pago Transferencia.pdf.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: Pago Transferencia.pdf.exe String found in binary or memory: /IteratorOfTToIteratorAdapt;component/views/addbook.xaml
Source: Pago Transferencia.pdf.exe String found in binary or memory: views/addcustomer.baml
Source: Pago Transferencia.pdf.exe String found in binary or memory: views/addbook.baml
Source: Pago Transferencia.pdf.exe String found in binary or memory: /IteratorOfTToIteratorAdapt;component/views/addcustomer.xaml
Source: Pago Transferencia.pdf.exe String found in binary or memory: /IteratorOfTToIteratorAdapt;component/views/addbook.xaml
Source: Pago Transferencia.pdf.exe String found in binary or memory: views/addcustomer.baml
Source: Pago Transferencia.pdf.exe String found in binary or memory: views/addbook.baml
Source: Pago Transferencia.pdf.exe String found in binary or memory: /IteratorOfTToIteratorAdapt;component/views/addcustomer.xaml
Source: Pago Transferencia.pdf.exe String found in binary or memory: q/IteratorOfTToIteratorAdapt;component/views/addbook.xaml
Source: Pago Transferencia.pdf.exe String found in binary or memory: /IteratorOfTToIteratorAdapt;component/views/deletecustomer.xamlu/IteratorOfTToIteratorAdapt;component/views/errorview.xamly/IteratorOfTToIteratorAdapt;component/views/smallextras.xamly/IteratorOfTToIteratorAdapt;component/views/addcustomer.xaml
Source: Pago Transferencia.pdf.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: 3.2.Pago Transferencia.pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.Pago Transferencia.pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.Pago Transferencia.pdf.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.Pago Transferencia.pdf.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.Pago Transferencia.pdf.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.Pago Transferencia.pdf.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Pago Transferencia.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Pago Transferencia.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Pago Transferencia.pdf.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Pago Transferencia.pdf.exe.7a0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Pago Transferencia.pdf.exe.7a0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Pago Transferencia.pdf.exe.600000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Pago Transferencia.pdf.exe.600000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Pago Transferencia.pdf.exe.600000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Pago Transferencia.pdf.exe.600000.11.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Pago Transferencia.pdf.exe.600000.13.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 1_2_007A92F5 push ds; ret 1_2_007A9340
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 1_2_007A9361 push ds; retf 1_2_007A9364
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 1_2_007A9347 push ds; ret 1_2_007A934C
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00609361 push ds; retf 3_2_00609364
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_006092F5 push ds; ret 3_2_00609340
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_00609347 push ds; ret 3_2_0060934C
Source: initial sample Static PE information: section name: .text entropy: 7.87898246248

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Pago Transferencia.pdf.exe
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.2c68fb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.2cfb800.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.250733467.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pago Transferencia.pdf.exe PID: 3228, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250733467.0000000002C01000.00000004.00000001.sdmp, Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250733467.0000000002C01000.00000004.00000001.sdmp, Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 900 Thread sleep count: 1449 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 900 Thread sleep count: 614 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 2176 Thread sleep time: -31669s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239633s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239404s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -239000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -238874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -238750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -238624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -238515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -238405s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -238047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -237609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -237203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -236359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -236203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep time: -236091s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 3532 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep count: 1620 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe TID: 1560 Thread sleep count: 8234 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239874 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239749 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239633 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239515 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239404 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239281 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239140 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239000 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238874 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238624 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238515 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238405 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238047 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 237609 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 237203 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 236359 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 236203 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 236091 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Window / User API: threadDelayed 1449 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Window / User API: threadDelayed 614 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Window / User API: threadDelayed 1620 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Window / User API: threadDelayed 8234 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239874 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 31669 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239749 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239633 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239515 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239404 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239281 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239140 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 239000 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238874 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238624 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238515 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238405 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 238047 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 237609 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 237203 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 236359 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 236203 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 236091 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Pago Transferencia.pdf.exe, 00000001.00000002.250904097.0000000002CCB000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Code function: 3_2_007903C0 LdrInitializeThunk, 3_2_007903C0
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Process created: C:\Users\user\Desktop\Pago Transferencia.pdf.exe C:\Users\user\Desktop\Pago Transferencia.pdf.exe Jump to behavior
Source: Pago Transferencia.pdf.exe, 00000003.00000002.507717551.00000000013A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Pago Transferencia.pdf.exe, 00000003.00000002.507717551.00000000013A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Pago Transferencia.pdf.exe, 00000003.00000002.507717551.00000000013A0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: Pago Transferencia.pdf.exe, 00000003.00000002.507717551.00000000013A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: Pago Transferencia.pdf.exe, 00000003.00000002.507717551.00000000013A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Users\user\Desktop\Pago Transferencia.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Users\user\Desktop\Pago Transferencia.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3d31df8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3cfc5d8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Pago Transferencia.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3d31df8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3cfc5d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.248078811.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.248613721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.247491327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.505276535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.247106547.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251510094.0000000003C0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.508136463.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pago Transferencia.pdf.exe PID: 3228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Pago Transferencia.pdf.exe PID: 4876, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Pago Transferencia.pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.508136463.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pago Transferencia.pdf.exe PID: 4876, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3d31df8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3cfc5d8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Pago Transferencia.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Pago Transferencia.pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3d31df8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Pago Transferencia.pdf.exe.3cfc5d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.248078811.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.248613721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.247491327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.505276535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.247106547.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251510094.0000000003C0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.508136463.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pago Transferencia.pdf.exe PID: 3228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Pago Transferencia.pdf.exe PID: 4876, type: MEMORYSTR
No contacted IP infos