Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
b2.exe

Overview

General Information

Sample Name:b2.exe
Analysis ID:626045
MD5:b23f3235c02c47b25ea90d9830aa37c7
SHA1:8dbaf4ec74cc2710582157100afe98ff9158d994
SHA256:46b7d84280339d0b887a8e225d0649e1fcf86302bd553c33716b9c42d3894cc7
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • b2.exe (PID: 4852 cmdline: "C:\Users\user\Desktop\b2.exe" MD5: B23F3235C02C47B25EA90D9830AA37C7)
    • b2.exe (PID: 7148 cmdline: C:\Users\user\Desktop\b2.exe MD5: B23F3235C02C47B25EA90D9830AA37C7)
  • cleanup
{"C2 url": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendMessage"}
{"Exfil Mode": "Telegram", "Chat id": "1329186530", "Chat URL": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendDocument"}
SourceRuleDescriptionAuthorStrings
0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000C.00000002.613014718.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.613014718.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000C.00000000.523738264.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries
            SourceRuleDescriptionAuthorStrings
            12.0.b2.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              12.0.b2.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                12.0.b2.exe.400000.8.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  12.0.b2.exe.400000.8.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x30d39:$s1: get_kbok
                  • 0x3166d:$s2: get_CHoo
                  • 0x322c8:$s3: set_passwordIsSet
                  • 0x30b3d:$s4: get_enableLog
                  • 0x35272:$s8: torbrowser
                  • 0x33c4e:$s10: logins
                  • 0x33527:$s11: credential
                  • 0x2ff23:$g1: get_Clipboard
                  • 0x2ff31:$g2: get_Keyboard
                  • 0x2ff3e:$g3: get_Password
                  • 0x3151b:$g4: get_CtrlKeyDown
                  • 0x3152b:$g5: get_ShiftKeyDown
                  • 0x3153c:$g6: get_AltKeyDown
                  12.0.b2.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 19 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 12.0.b2.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1329186530", "Chat URL": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendDocument"}
                    Source: b2.exe.7148.12.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendMessage"}
                    Source: b2.exeVirustotal: Detection: 64%Perma Link
                    Source: b2.exeReversingLabs: Detection: 75%
                    Source: b2.exeAvira: detected
                    Source: b2.exeJoe Sandbox ML: detected
                    Source: 12.0.b2.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.b2.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.b2.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.b2.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.b2.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.2.b2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: b2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: b2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: f.dll.0.dr

                    Networking

                    barindex
                    Source: Yara matchFile source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: f.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: f.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: f.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: f.dll.0.drString found in binary or memory: http://s2.symcb.com0
                    Source: f.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: f.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: f.dll.0.drString found in binary or memory: http://sv.symcd.com0&
                    Source: f.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: f.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: f.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: f.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
                    Source: f.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
                    Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xqtbof.com
                    Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                    Source: b2.exe, 00000000.00000003.516030971.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515670250.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516280598.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.514691789.000000000636D000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.520969631.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516074359.0000000006A14000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519825219.0000000006A1A000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515451731.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.518667846.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519966505.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/
                    Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendDocumentdocument-----
                    Source: f.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
                    Source: f.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
                    Source: b2.exe, 00000000.00000003.516030971.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515670250.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516280598.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.514691789.000000000636D000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.520969631.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516074359.0000000006A14000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519825219.0000000006A1A000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515451731.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.518667846.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519966505.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: b2.exe, 00000000.00000002.533971800.0000000000C09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: b2.exe, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 0.0.b2.exe.4c0000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 0.2.b2.exe.4c0000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.e00000.9.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.csLarge array initialization: .cctor: array initializer size 12014
                    Source: 12.2.b2.exe.e00000.1.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.e00000.5.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.e00000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.e00000.3.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.e00000.13.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.e00000.1.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.csLarge array initialization: .cctor: array initializer size 12014
                    Source: 12.0.b2.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.csLarge array initialization: .cctor: array initializer size 12014
                    Source: 12.0.b2.exe.e00000.7.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.csLarge array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
                    Source: 12.0.b2.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.csLarge array initialization: .cctor: array initializer size 12014
                    Source: b2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\b2.exeCode function: 0_2_00BEE3F80_2_00BEE3F8
                    Source: C:\Users\user\Desktop\b2.exeCode function: 0_2_00BEE3E90_2_00BEE3E9
                    Source: C:\Users\user\Desktop\b2.exeCode function: 0_2_00BE9BB00_2_00BE9BB0
                    Source: C:\Users\user\Desktop\b2.exeCode function: 0_2_00BE9BC00_2_00BE9BC0
                    Source: C:\Users\user\Desktop\b2.exeCode function: 12_2_0160480012_2_01604800
                    Source: C:\Users\user\Desktop\b2.exeCode function: 12_2_01603EB812_2_01603EB8
                    Source: C:\Users\user\Desktop\b2.exeCode function: 12_2_016081C012_2_016081C0
                    Source: C:\Users\user\Desktop\b2.exeCode function: 12_2_0160471012_2_01604710
                    Source: C:\Users\user\Desktop\b2.exeCode function: String function: 00BE2970 appears 61 times
                    Source: C:\Users\user\Desktop\b2.exeCode function: 0_2_00BED438 CreateProcessAsUserW,0_2_00BED438
                    Source: b2.exeBinary or memory string: OriginalFilename vs b2.exe
                    Source: b2.exe, 00000000.00000002.533971800.0000000000C09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs b2.exe
                    Source: b2.exe, 00000000.00000000.344905302.00000000004D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe
                    Source: b2.exeBinary or memory string: OriginalFilename vs b2.exe
                    Source: b2.exe, 0000000C.00000000.513142471.0000000000E18000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe
                    Source: b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHITvAreWBkWWDoLFBJGDIdpxGN.exe4 vs b2.exe
                    Source: b2.exeBinary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe
                    Source: b2.exeVirustotal: Detection: 64%
                    Source: b2.exeReversingLabs: Detection: 75%
                    Source: b2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\b2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\b2.exe "C:\Users\user\Desktop\b2.exe"
                    Source: C:\Users\user\Desktop\b2.exeProcess created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exe
                    Source: C:\Users\user\Desktop\b2.exeProcess created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exeJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\b2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b2.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeFile created: C:\Users\user\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8Jump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@0/0
                    Source: C:\Users\user\Desktop\b2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 12.0.b2.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.0.b2.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.0.b2.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.0.b2.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.0.b2.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.0.b2.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\b2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: b2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: b2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: f.dll.0.dr
                    Source: f.dll.0.drStatic PE information: section name: .didat
                    Source: f.dll.0.drStatic PE information: section name: .00cfg
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.42416946268
                    Source: C:\Users\user\Desktop\b2.exeFile created: C:\Users\user\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dllJump to dropped file
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\b2.exeRDTSC instruction interceptor: First address: 0000000072B81D36 second address: 0000000072B82A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [72B953C0h], eax 0x00000020 mov dword ptr [72B953C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007F76FCDA0DEBh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007F76FCDA0E26h 0x00000037 rdtsc
                    Source: C:\Users\user\Desktop\b2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\b2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\b2.exe TID: 6848Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exe TID: 6848Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\b2.exe TID: 3268Thread sleep count: 6199 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exe TID: 3268Thread sleep count: 3585 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exe TID: 6440Thread sleep count: 40 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exe TID: 6440Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\b2.exe TID: 4696Thread sleep count: 3690 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exe TID: 4696Thread sleep count: 6133 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeWindow / User API: threadDelayed 6199Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeWindow / User API: threadDelayed 3585Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeWindow / User API: threadDelayed 3690Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeWindow / User API: threadDelayed 6133Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\b2.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\b2.exeMemory written: C:\Users\user\Desktop\b2.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\b2.exeProcess created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exeJump to behavior