Windows Analysis Report
Aviso de pago.pdf____________________________.exe

Overview

General Information

Sample Name: Aviso de pago.pdf____________________________.exe
Analysis ID: 626184
MD5: 05b6b97166b339557424ca035418a640
SHA1: e1699c9c10d6807650fcc35fc76c7744deeb16be
SHA256: 6797c9eb17e1ad3b41121bc80db0a97ae642bfca0874c8b7bd391507d2ca5540
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 12.0.MSBuild.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "danny@permagraf.com.mx", "Password": "icui4cu2@@", "Host": "mail.permagraf.com.mx"}
Multi AV Scanner detection for submitted file
Source: Aviso de pago.pdf____________________________.exe ReversingLabs: Detection: 24%
Antivirus detection for URL or domain
Source: http://195.133.18.171 Avira URL Cloud: Label: malware
Source: http://195.133.18.171/Znmtganqo_Wvetpunc.jpgT Avira URL Cloud: Label: malware
Source: http://195.133.18.171/Znmtganqo_Wvetpunc.jpg Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://195.133.18.171 Virustotal: Detection: 17% Perma Link
Machine Learning detection for sample
Source: Aviso de pago.pdf____________________________.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.0.MSBuild.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.MSBuild.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.MSBuild.exe.400000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 12.2.MSBuild.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.MSBuild.exe.400000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.MSBuild.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: Aviso de pago.pdf____________________________.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Aviso de pago.pdf____________________________.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: protobuf-net.pdbSHA256 source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_0599B1E8
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh 0_2_0599B8D0
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh 0_2_0599B8C5
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_0599B7B1

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2848901 ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) 195.133.18.171:80 -> 192.168.2.6:49763
Yara detected Generic Downloader
Source: Yara match File source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-REGRU AS-REGRU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /Znmtganqo_Wvetpunc.jpg HTTP/1.1Host: 195.133.18.171Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.133.18.171 195.133.18.171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.133
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.133
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.133
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: unknown TCP traffic detected without corresponding DNS query: 195.133.18.171
Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://195.133.18.171
Source: Aviso de pago.pdf____________________________.exe String found in binary or memory: http://195.133.18.171/Znmtganqo_Wvetpunc.jpg
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://195.133.18.171/Znmtganqo_Wvetpunc.jpgT
Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://WPfLXV.com
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: global traffic HTTP traffic detected: GET /Znmtganqo_Wvetpunc.jpg HTTP/1.1Host: 195.133.18.171Connection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Aviso de pago.pdf____________________________.exe
.NET source code contains very large array initializations
Source: 12.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDDFF07F3u002dCE57u002d4C09u002dA970u002d38E9328FA8D8u007d/u0030BCA6C18u002d22C5u002d4E81u002dA07Eu002dD299400C5A1B.cs Large array initialization: .cctor: array initializer size 11790
Source: 12.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDDFF07F3u002dCE57u002d4C09u002dA970u002d38E9328FA8D8u007d/u0030BCA6C18u002d22C5u002d4E81u002dA07Eu002dD299400C5A1B.cs Large array initialization: .cctor: array initializer size 11790
Uses 32bit PE files
Source: Aviso de pago.pdf____________________________.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_00E94A78 0_2_00E94A78
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_0496B5C0 0_2_0496B5C0
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04968D68 0_2_04968D68
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04962010 0_2_04962010
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04966868 0_2_04966868
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04963108 0_2_04963108
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04965280 0_2_04965280
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04965A18 0_2_04965A18
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04966B10 0_2_04966B10
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04962350 0_2_04962350
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_05998D36 0_2_05998D36
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_05994300 0_2_05994300
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_048D0CB8 0_2_048D0CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_050346A0 12_2_050346A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05033D50 12_2_05033D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05034672 12_2_05034672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05034690 12_2_05034690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05F26920 12_2_05F26920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05F27538 12_2_05F27538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05F290F8 12_2_05F290F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05F26C68 12_2_05F26C68
Sample file is different than original file name gathered from version info
Source: Aviso de pago.pdf____________________________.exe Binary or memory string: OriginalFilename vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamearquajyuPCWUPvLWdHsfqSDDcyRGxRBVFTw.exe4 vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.486069682.00000000088AB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamearquajyuPCWUPvLWdHsfqSDDcyRGxRBVFTw.exe4 vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.482976208.00000000077E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: get_OriginalFilename vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.482115591.0000000006B50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNkrnkvsubxsztkgs.dll" vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000000.361902808.00000000005D2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameZnmtganqo.exe" vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamearquajyuPCWUPvLWdHsfqSDDcyRGxRBVFTw.exe4 vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000003.468147986.0000000007EFA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: get_OriginalFilename vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
Source: Aviso de pago.pdf____________________________.exe Binary or memory string: OriginalFilenameZnmtganqo.exe" vs Aviso de pago.pdf____________________________.exe
PE file contains strange resources
Source: Aviso de pago.pdf____________________________.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Aviso de pago.pdf____________________________.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Aviso de pago.pdf____________________________.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: Aviso de pago.pdf____________________________.exe ReversingLabs: Detection: 24%
Source: Aviso de pago.pdf____________________________.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe "C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe"
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 15
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 15 Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15 Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Aviso de pago.pdf____________________________.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@0/1
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3024:120:WilError_01
Source: 12.0.MSBuild.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.MSBuild.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.MSBuild.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.MSBuild.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Aviso de pago.pdf____________________________.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Aviso de pago.pdf____________________________.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Aviso de pago.pdf____________________________.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: protobuf-net.pdbSHA256 source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Aviso de pago.pdf____________________________.exe, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Aviso de pago.pdf____________________________.exe.5d0000.0.unpack, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Aviso de pago.pdf____________________________.exe.5d0000.0.unpack, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04967482 push 8B045BD9h; ret 0_2_04967487
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04967288 push 8B044388h; ret 0_2_0496728D
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_049673CA push 8B044389h; ret 0_2_049673D4
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Code function: 0_2_04967355 push 8B045BDDh; ret 0_2_0496735F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_0503E1E8 push E802005Eh; retf 12_2_0503E201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_0503E204 push E801025Eh; ret 12_2_0503E209
Binary contains a suspicious time stamp
Source: Aviso de pago.pdf____________________________.exe Static PE information: 0xD0E49B7F [Mon Jan 20 23:55:43 2081 UTC]
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe TID: 6404 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe TID: 6284 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3372 Thread sleep count: 130 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6880 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6880 Thread sleep time: -40582836962160988s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6904 Thread sleep count: 3523 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6904 Thread sleep count: 6312 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3523 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 6312 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B71008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 15 Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Queries volume information: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_05F22654 GetUserNameW, 12_2_05F22654

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.471775645.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.472717086.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.473012111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Aviso de pago.pdf____________________________.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.471775645.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.472717086.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.473012111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Aviso de pago.pdf____________________________.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626184 Sample: Aviso de pago.pdf__________... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 25 Snort IDS alert for network traffic 2->25 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 9 other signatures 2->31 7 Aviso de pago.pdf____________________________.exe 15 4 2->7         started        process3 dnsIp4 23 195.133.18.171, 49763, 80 AS-REGRU Russian Federation 7->23 21 Aviso de pago.pdf_...___________.exe.log, ASCII 7->21 dropped 33 Writes to foreign memory regions 7->33 35 Injects a PE file into a foreign processes 7->35 12 MSBuild.exe 2 7->12         started        15 cmd.exe 1 7->15         started        file5 signatures6 process7 signatures8 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->39 17 conhost.exe 15->17         started        19 timeout.exe 1 15->19         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.133.18.171
 unknown Russian Federation
197695 AS-REGRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://195.133.18.171/Znmtganqo_Wvetpunc.jpg true
  • Avira URL Cloud: malware
 unknown