Windows Analysis Report
SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910

Overview

General Information

Sample Name: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910 (renamed file extension from 21910 to exe)
Analysis ID: 680462
MD5: 836deaf4e5b11b7ed1a46fea5850b33a
SHA1: 4ef5dd4bde33a08e5c17da867ee4d14090673317
SHA256: a83b4422cdae1748849530513cad3dae8e7ccee4f1117e696a4542156f1ae9e7
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Virustotal: Detection: 25% Perma Link
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Avira: detected
Antivirus detection for URL or domain
Source: http://mail.ocpi.com.my Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.cvtres.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.cvtres.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sylvainbaril@ocpi.com.my", "Password": "9v91sGq7r9M$", "Host": "mail.ocpi.com.my"}
Uses 32bit PE files
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: KDJFKRKNM.pdb source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 220.158.200.104 220.158.200.104
Source: Joe Sandbox View IP Address: 220.158.200.104 220.158.200.104
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49693 -> 220.158.200.104:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49693 -> 220.158.200.104:587
Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DPVGsz.com
Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: cvtres.exe, 00000001.00000002.512904675.0000000006C3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.ocpi.com.my
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: http://www.mozilla.com/0
Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe String found in binary or memory: https://www.thawte.com/cps0
Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.ocpi.com.my

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
.NET source code contains very large array initializations
Source: 1.0.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.cs Large array initialization: .cctor: array initializer size 11620
Source: 1.0.cvtres.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.cs Large array initialization: .cctor: array initializer size 11620
Source: 1.2.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.cs Large array initialization: .cctor: array initializer size 11620
Source: 1.0.cvtres.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.cs Large array initialization: .cctor: array initializer size 11620
Source: 1.0.cvtres.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.cs Large array initialization: .cctor: array initializer size 11620
Source: 1.0.cvtres.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.cs Large array initialization: .cctor: array initializer size 11620
Uses 32bit PE files
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E6A280 0_2_02E6A280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E61B91 0_2_02E61B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E67340 0_2_02E67340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E68F18 0_2_02E68F18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E670C8 0_2_02E670C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E634A8 0_2_02E634A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E62581 0_2_02E62581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E642C9 0_2_02E642C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E642D8 0_2_02E642D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E656A8 0_2_02E656A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E662B0 0_2_02E662B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E656B8 0_2_02E656B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E6A270 0_2_02E6A270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E68E4B 0_2_02E68E4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E66250 0_2_02E66250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E67E29 0_2_02E67E29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E633A7 0_2_02E633A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E63371 0_2_02E63371
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E67331 0_2_02E67331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E68F11 0_2_02E68F11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E654C0 0_2_02E654C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E654B9 0_2_02E654B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E670B9 0_2_02E670B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E60448 0_2_02E60448
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E67571 0_2_02E67571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_04EEF080 1_2_04EEF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_04EE6120 1_2_04EE6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_04EE02C2 1_2_04EE02C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_04EEF3C8 1_2_04EEF3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_04EEF3BD 1_2_04EEF3BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_092FB880 1_2_092FB880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_092F2A58 1_2_092F2A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_092F0040 1_2_092F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0A124A78 1_2_0A124A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0A127890 1_2_0A127890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0A12A3E0 1_2_0A12A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0A12C660 1_2_0A12C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0A123179 1_2_0A123179
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000000.241242875.0000000000B42000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKDJFKRKNM.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.247124284.00000000030E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEyKexzPXsluZXTkVHsPL.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEyKexzPXsluZXTkVHsPL.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Binary or memory string: OriginalFilenameKDJFKRKNM.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
PE file contains strange resources
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: invalid certificate
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Virustotal: Detection: 25%
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe "C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: KDJFKRKNM.pdb source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Code function: 0_2_02E63049 push BD9C45C7h; iretd 0_2_02E6304F
PE file contains an invalid checksum
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Static PE information: real checksum: 0x484c1 should be: 0x41179
Source: initial sample Static PE information: section name: .text entropy: 7.743635131824094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe TID: 6032 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6128 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6132 Thread sleep count: 9572 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Window / User API: threadDelayed 9572 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ADsCAAB2AAARFhMLONYAAAAAEQsfCf4BLAYWKh8KEwsAEQsZ/gEsBgQUURoTCwARCxj+ASwGAxRRGRMLABELGv4BLA4gACAAAI0vAAABCxsTCwARCxv+ASwGFhMEHBMLABELHP4BLAkgACAAAAwdEwsAEQse/gEsFQIgAAAAgCjzAgAGKOoAAAYmHwkTCwARCxf+ASwDGBMLABELHwr+ASwgEQQNAgd0DAAAGxEECBZvuQEAChMGEQYWMzAWKh8LEwsAEQsd/gEsBwgWM9QeEwsAEQsW/gEsAxcTCwARCx8L/gEsAisFOCX///8RBBEG1hMECBEG2gwHdAwAABsWCRnaKLoBAAoRBBIAKM8AAAYsuAMoowAACgd0DAAAGxYGb9sAAApREQQGOxQBAAARBAbaEwcEEQcX2hfWjS8AAAFRFNCCAAABKBQAAAooVQIABhuNBwAAARMIEQgWBygRAAAKohEIFwaMUQAAAaIRCBgEUKIRCBkWjFEAAAGiEQgaEQeMUQAAAaIRCBM
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.247647159.00000000048D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %GiEQgaEQeMUQ
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %kWjFEAAAGiEQgaEQeMUQAAAaIRC
Source: cvtres.exe, 00000001.00000003.271596448.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.514945881.0000000009DA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 436000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 6E4008 Jump to behavior
.NET source code references suspicious native API functions
Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, u200f????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: 0.0.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.b40000.0.unpack, u200f????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: 1.0.cvtres.exe.400000.0.unpack, A/E1.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.3.unpack, A/E1.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.2.cvtres.exe.400000.0.unpack, A/E1.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.4.unpack, A/E1.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.2.unpack, A/E1.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.1.unpack, A/E1.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680462 Sample: SecuriteInfo.com.Suspicious... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus detection for URL or domain 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 5 other signatures 2->24 6 SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe 1 2->6         started        process3 file4 14 SecuriteInfo.com.S...Save.a.5066.exe.log, ASCII 6->14 dropped 26 Writes to foreign memory regions 6->26 28 Allocates memory in foreign processes 6->28 30 Injects a PE file into a foreign processes 6->30 10 cvtres.exe 2 6->10         started        signatures5 process6 dnsIp7 16 mail.ocpi.com.my 220.158.200.104, 49693, 587 GIGABIT-MYGigabitHostingSdnBhdMY Malaysia 10->16 32 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->32 34 Tries to steal Mail credentials (via file / registry access) 10->34 36 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->36 38 Tries to harvest and steal browser information (history, passwords, etc) 10->38 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
220.158.200.104
 mail.ocpi.com.my Malaysia
55720 GIGABIT-MYGigabitHostingSdnBhdMY false

Contacted Domains

Name IP Active
mail.ocpi.com.my 220.158.200.104 true