Loading ...

Play interactive tourEdit tour

Windows Analysis Report Waybilldoc_220950655.pdf.exe

Overview

General Information

Sample Name:Waybilldoc_220950655.pdf.exe
Analysis ID:532918
MD5:717a4adeeaf2cc5ccccc944accb3b2fd
SHA1:834b3549011ac52fa34c2299b8194087f6a695e8
SHA256:52ffc0a75a42165e68bc35efc7b9bdd4069c7f5d4054c040737cfc87ae158da8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ugo@bhgautopartes.com", "Password": "icui4cu2@@", "Host": "mail.bhgautopartes.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.285254478.0000000002871000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000003.00000000.282755212.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000000.282755212.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Waybilldoc_220950655.pdf.exe.2891bac.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              1.2.Waybilldoc_220950655.pdf.exe.38d3790.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.Waybilldoc_220950655.pdf.exe.38d3790.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe, CommandLine: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe, NewProcessName: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe, ParentCommandLine: "C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe" , ParentImage: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe, ParentProcessId: 7004, ProcessCommandLine: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe, ProcessId: 7124

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.Waybilldoc_220950655.pdf.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ugo@bhgautopartes.com", "Password": "icui4cu2@@", "Host": "mail.bhgautopartes.com"}
                      Source: 3.2.Waybilldoc_220950655.pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://uArhJl.com
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.286150173.0000000003879000.00000004.00000001.sdmp, Waybilldoc_220950655.pdf.exe, 00000003.00000000.282755212.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Waybilldoc_220950655.pdf.exe
                      Source: initial sampleStatic PE information: Filename: Waybilldoc_220950655.pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.Waybilldoc_220950655.pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.csLarge array initialization: .cctor: array initializer size 11787
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.csLarge array initialization: .cctor: array initializer size 11787
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.csLarge array initialization: .cctor: array initializer size 11787
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.csLarge array initialization: .cctor: array initializer size 11787
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b576C0370u002dDCAFu002d423Eu002d8F1Fu002d624A7F18491Cu007d/u00364BA41D5u002dAF46u002d4AFCu002d9FA5u002dE8F45566EA94.csLarge array initialization: .cctor: array initializer size 11787
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 1_2_00C8C6D41_2_00C8C6D4
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 1_2_00C8EB081_2_00C8EB08
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 1_2_00C8EB181_2_00C8EB18
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 1_2_04CEEF881_2_04CEEF88
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 1_2_04CEEF901_2_04CEEF90
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 3_2_014B14383_2_014B1438
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 3_2_015646A03_2_015646A0
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 3_2_015645B03_2_015645B0
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 3_2_0156DA003_2_0156DA00
                      Source: Waybilldoc_220950655.pdf.exeBinary or memory string: OriginalFilename vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285254478.0000000002871000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285254478.0000000002871000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.284429418.0000000000402000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePropertyIn.exe4 vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.286150173.0000000003879000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.286150173.0000000003879000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.288796065.0000000005B50000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exeBinary or memory string: OriginalFilename vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000000.283379090.0000000000CD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePropertyIn.exe4 vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.544853027.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamegupTdBQVaomyfnIgAVHNNfxuAxDWRnFw.exe4 vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.545500522.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exeBinary or memory string: OriginalFilenamePropertyIn.exe4 vs Waybilldoc_220950655.pdf.exe
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe "C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe"
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess created: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess created: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Waybilldoc_220950655.pdf.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 3.2.Waybilldoc_220950655.pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Waybilldoc_220950655.pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Waybilldoc_220950655.pdf.exe, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.Waybilldoc_220950655.pdf.exe.400000.0.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.Waybilldoc_220950655.pdf.exe.400000.0.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.cd0000.9.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.cd0000.7.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.cd0000.5.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.cd0000.3.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.cd0000.1.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.cd0000.2.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Waybilldoc_220950655.pdf.exe.cd0000.11.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.Waybilldoc_220950655.pdf.exe.cd0000.1.unpack, HX/Gr.cs.Net Code: zG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 1_2_00407279 push es; ret 1_2_00407376
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 1_2_00C8E638 push eax; iretd 1_2_00C8E641
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeCode function: 3_2_00CD7279 push es; ret 3_2_00CD7376
                      Source: Waybilldoc_220950655.pdf.exeStatic PE information: 0x91B4DF98 [Wed Jun 19 09:40:40 2047 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78942430376

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: Waybilldoc_220950655.pdf.exe
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.2891bac.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.285254478.0000000002871000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.285322085.00000000028AD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Waybilldoc_220950655.pdf.exe PID: 7004, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285254478.0000000002871000.00000004.00000001.sdmp, Waybilldoc_220950655.pdf.exe, 00000001.00000002.285322085.00000000028AD000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285254478.0000000002871000.00000004.00000001.sdmp, Waybilldoc_220950655.pdf.exe, 00000001.00000002.285322085.00000000028AD000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe TID: 7008Thread sleep time: -37979s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe TID: 7044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe TID: 2176Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe TID: 2504Thread sleep count: 2091 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe TID: 2504Thread sleep count: 7743 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeWindow / User API: threadDelayed 2091Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeWindow / User API: threadDelayed 7743Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeThread delayed: delay time: 37979Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285322085.00000000028AD000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285322085.00000000028AD000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285322085.00000000028AD000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.288796065.0000000005B50000.00000004.00020000.sdmpBinary or memory string: dcZtPLJoVMcibUETQAN
                      Source: Waybilldoc_220950655.pdf.exe, 00000001.00000002.285322085.00000000028AD000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeProcess created: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeJump to behavior
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547449889.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547449889.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547449889.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Waybilldoc_220950655.pdf.exe, 00000003.00000002.547449889.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.38d3790.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.3908fb0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Waybilldoc_220950655.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.3908fb0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.38d3790.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.282755212.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.281746367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.282312678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.544593892.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.283323027.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.286150173.0000000003879000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Waybilldoc_220950655.pdf.exe PID: 7004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Waybilldoc_220950655.pdf.exe PID: 7124, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Waybilldoc_220950655.pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Waybilldoc_220950655.pdf.exe PID: 7124, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.38d3790.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.3908fb0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Waybilldoc_220950655.pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Waybilldoc_220950655.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.3908fb0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Waybilldoc_220950655.pdf.exe.38d3790.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.282755212.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.281746367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.282312678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.544593892.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.283323027.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.286150173.0000000003879000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.547694451.0000000003091000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Waybilldoc_220950655.pdf.exe PID: 7004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Waybilldoc_220950655.pdf.exe PID: 7124, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading11OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery114SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.