Loading ...

Play interactive tourEdit tour

Windows Analysis Report microsoft outlook.exe

Overview

General Information

Sample Name:microsoft outlook.exe
Analysis ID:553252
MD5:483994a69d86ec2e58ff6468cf049f89
SHA1:36b1d5e58de9734faa40fe218e415c57e902292e
SHA256:a51cdfc1b836895069dc0e2d8b7e15e13c65714d44278add6ab306061cdbc0c8
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • microsoft outlook.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\microsoft outlook.exe" MD5: 483994A69D86EC2E58FF6468CF049F89)
    • microsoft outlook.exe (PID: 1752 cmdline: "C:\Users\user\Desktop\microsoft outlook.exe" MD5: 483994A69D86EC2E58FF6468CF049F89)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "castilloo@cgyasc.com", "Password": "Castle1", "Host": "mail.cgyasc.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.microsoft outlook.exe.415058.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.0.microsoft outlook.exe.415058.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.0.microsoft outlook.exe.400000.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.0.microsoft outlook.exe.400000.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.2.microsoft outlook.exe.4950000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 61 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.microsoft outlook.exe.3515530.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "castilloo@cgyasc.com", "Password": "Castle1", "Host": "mail.cgyasc.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: microsoft outlook.exeVirustotal: Detection: 55%Perma Link
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: microsoft outlook.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllAvira: detection malicious, Label: TR/Injector.wiefs
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllMetadefender: Detection: 17%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllReversingLabs: Detection: 81%
                      Source: 3.0.microsoft outlook.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.microsoft outlook.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.1.microsoft outlook.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: microsoft outlook.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00404A29 FindFirstFileExW,3_2_00404A29

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49814 -> 192.185.25.212:587
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://YcxkAh.com
                      Source: microsoft outlook.exe, 00000003.00000002.560904754.0000000002863000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmpString found in binary or memory: http://cgyasc.com
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000003.505431063.00000000005E4000.00000004.00000001.sdmpString found in binary or memory: http://d8P2A6TrVo.net
                      Source: microsoft outlook.exe, 00000003.00000002.560904754.0000000002863000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmpString found in binary or memory: http://mail.cgyasc.com
                      Source: microsoft outlook.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: microsoft outlook.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: microsoft outlook.exe, microsoft outlook.exe, 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmp, microsoft outlook.exe, 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.cgyasc.com
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404E07

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpack, u003cPrivateImplementationDetailsu003eu007b2E0BCB56u002d1BBBu002d423Cu002d8F51u002d94A15D000FB6u007d/C7FAB55Bu002d2018u002d4C8Au002dB9C4u002dBB5765976361.csLarge array initialization: .cctor: array initializer size 11982
                      Source: microsoft outlook.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_004030E3
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_004060431_2_00406043
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_004046181_2_00404618
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_0040681A1_2_0040681A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D13241_2_6F2D1324
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D75241_2_6F2D7524
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D83261_2_6F2D8326
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D173E1_2_6F2D173E
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1D001_2_6F2D1D00
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D79031_2_6F2D7903
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2F53001_2_6F2F5300
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D151E1_2_6F2D151E
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1B1A1_2_6F2D1B1A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7B111_2_6F2D7B11
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7D101_2_6F2D7D10
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D15651_2_6F2D1565
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D75671_2_6F2D7567
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D77621_2_6F2D7762
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D38471_2_6F2D3847
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D777F1_2_6F2D777F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1D7B1_2_6F2D1D7B
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D17731_2_6F2D1773
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1D481_2_6F2D1D48
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D13591_2_6F2D1359
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D23541_2_6F2D2354
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D38471_2_6F2D3847
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1B501_2_6F2D1B50
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D73A81_2_6F2D73A8
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6E9A1_2_6F2D6E9A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D19A41_2_6F2D19A4
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1FA41_2_6F2D1FA4
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2DC26F1_2_6F2DC26F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D17A01_2_6F2D17A0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7BA01_2_6F2D7BA0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D85B51_2_6F2D85B5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1DB41_2_6F2D1DB4
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D219E1_2_6F2D219E
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D38471_2_6F2D3847
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1B911_2_6F2D1B91
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7D921_2_6F2D7D92
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7BE31_2_6F2D7BE3
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D17FD1_2_6F2D17FD
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D69FD1_2_6F2D69FD
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D15FF1_2_6F2D15FF
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1BF21_2_6F2D1BF2
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D15C91_2_6F2D15C9
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7FCB1_2_6F2D7FCB
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D19DE1_2_6F2D19DE
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7DDE1_2_6F2D7DDE
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D17D11_2_6F2D17D1
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1BD21_2_6F2D1BD2
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D5F3C1_2_6F2D5F3C
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D96841_2_6F2D9684
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D763F1_2_6F2D763F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D16391_2_6F2D1639
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D14051_2_6F2D1405
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D74011_2_6F2D7401
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D201D1_2_6F2D201D
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FCA161_2_6F2FCA16
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D84111_2_6F2D8411
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7C101_2_6F2D7C10
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1A651_2_6F2D1A65
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D2A721_2_6F2D2A72
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1CAE1_2_6F2D1CAE
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2DB2201_2_6F2DB220
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D78B51_2_6F2D78B5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D58491_2_6F2D5849
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1E8C1_2_6F2D1E8C
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D228F1_2_6F2D228F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D82801_2_6F2D8280
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D849A1_2_6F2D849A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7A951_2_6F2D7A95
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D18911_2_6F2D1891
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D82931_2_6F2D8293
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6E921_2_6F2D6E92
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1EE01_2_6F2D1EE0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D84F91_2_6F2D84F9
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D56891_2_6F2D5689
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D20F51_2_6F2D20F5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6F4C1_2_6F2D6F4C
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D18C51_2_6F2D18C5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D14C01_2_6F2D14C0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D16DF1_2_6F2D16DF
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0040A2A53_2_0040A2A5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_008351C03_2_008351C0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0083B4483_2_0083B448
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_008368E03_2_008368E0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0085E0043_2_0085E004
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_008500683_2_00850068
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0085AD983_2_0085AD98
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0085C6503_2_0085C650
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_008557183_2_00855718
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00856E383_2_00856E38
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_022F47A03_2_022F47A0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_022FF7383_2_022FF738
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_022F46B03_2_022F46B0
                      Source: microsoft outlook.exe, 00000001.00000003.291108170.0000000002AD6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000001.00000003.299390193.0000000002C6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs microsoft outlook.exe
                      Source: microsoft outlook.exeBinary or memory string: OriginalFilename vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.557857953.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: microsoft outlook.exeVirustotal: Detection: 55%
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Users\user\Desktop\microsoft outlook.exeJump to behavior
                      Source: microsoft outlook.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\microsoft outlook.exe "C:\Users\user\Desktop\microsoft outlook.exe"
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess created: C:\Users\user\Desktop\microsoft outlook.exe "C:\Users\user\Desktop\microsoft outlook.exe"
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess created: C:\Users\user\Desktop\microsoft outlook.exe "C:\Users\user\Desktop\microsoft outlook.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile created: C:\Users\user\AppData\Local\Temp\nsr49FD.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/3@2/1
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,1_2_00402012
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_0040411B
                      Source: C:\Users\user\Desktop\microsoft outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,3_2_00401489
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: wntdll.pdbUGP source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6AD3 pushfd ; retf 0000h1_2_6F2D6AD5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401F16 push ecx; ret 3_2_00401F29
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
                      Source: microsoft outlook.exeStatic PE information: real checksum: 0x0 should be: 0x9cc38
                      Source: wbyrs.dll.1.drStatic PE information: real checksum: 0x3550e should be: 0x3b412
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile created: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllJump to dropped file
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_1-10690
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\microsoft outlook.exe TID: 6936Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exe TID: 7000Thread sleep count: 2268 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exe TID: 7000Thread sleep count: 7579 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWindow / User API: threadDelayed 2268Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWindow / User API: threadDelayed 7579Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00404A29 FindFirstFileExW,3_2_00404A29
                      Source: C:\Users\user\Desktop\microsoft outlook.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeAPI call chain: ExitProcess graph end nodegraph_1-10814
                      Source: C:\Users\user\Desktop\microsoft outlook.exeAPI call chain: ExitProcess graph end nodegraph_1-10971
                      Source: C:\Users\user\Desktop\microsoft outlook.exeAPI call chain: ExitProcess graph end nodegraph_3-33893
                      Source: microsoft outlook.exe, 00000003.00000003.522728351.0000000005A7E000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.562236559.0000000005A70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0040446F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_004067FE GetProcessHeap,3_2_004067FE
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC402 mov eax, dword ptr fs:[00000030h]1_2_6F2FC402
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC706 mov eax, dword ptr fs:[00000030h]1_2_6F2FC706
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC744 mov eax, dword ptr fs:[00000030h]1_2_6F2FC744
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC616 mov eax, dword ptr fs:[00000030h]1_2_6F2FC616
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC6C7 mov eax, dword ptr fs:[00000030h]1_2_6F2FC6C7
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h]3_2_004035F1
                      Source: C:\Users\user\Desktop\microsoft outlook.exeMemory allocated: page read and write | page guard