Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910

Overview

General Information

Sample Name:SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910 (renamed file extension from 21910 to exe)
Analysis ID:680462
MD5:836deaf4e5b11b7ed1a46fea5850b33a
SHA1:4ef5dd4bde33a08e5c17da867ee4d14090673317
SHA256:a83b4422cdae1748849530513cad3dae8e7ccee4f1117e696a4542156f1ae9e7
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe (PID: 6008 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe" MD5: 836DEAF4E5B11B7ED1A46FEA5850B33A)
    • cvtres.exe (PID: 6052 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sylvainbaril@ocpi.com.my", "Password": "9v91sGq7r9M$", "Host": "mail.ocpi.com.my"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x2f830:$a13: get_DnsResolver
      • 0x2e057:$a20: get_LastAccessed
      • 0x301c2:$a27: set_InternalServerPort
      • 0x304db:$a30: set_GuidMasterKey
      • 0x2e15e:$a33: get_Clipboard
      • 0x2e16c:$a34: get_Keyboard
      • 0x2f463:$a35: get_ShiftKeyDown
      • 0x2f474:$a36: get_AltKeyDown
      • 0x2e179:$a37: get_Password
      • 0x2ec13:$a38: get_PasswordHash
      • 0x2fc30:$a39: get_DefaultCredentials
      00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 20 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x304f4:$s10: logins
              • 0x2ff5b:$s11: credential
              • 0x2c55e:$g1: get_Clipboard
              • 0x2c56c:$g2: get_Keyboard
              • 0x2c579:$g3: get_Password
              • 0x2d853:$g4: get_CtrlKeyDown
              • 0x2d863:$g5: get_ShiftKeyDown
              • 0x2d874:$g6: get_AltKeyDown
              1.0.cvtres.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.0.cvtres.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  Click to see the 27 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeVirustotal: Detection: 25%Perma Link
                  Antivirus / Scanner detection for submitted sample
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://mail.ocpi.com.myAvira URL Cloud: Label: malware
                  Machine Learning detection for sample
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeJoe Sandbox ML: detected
                  Source: 1.0.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.2.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sylvainbaril@ocpi.com.my", "Password": "9v91sGq7r9M$", "Host": "mail.ocpi.com.my"}
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: KDJFKRKNM.pdb source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: Joe Sandbox ViewIP Address: 220.158.200.104 220.158.200.104
                  Source: Joe Sandbox ViewIP Address: 220.158.200.104 220.158.200.104
                  Source: global trafficTCP traffic: 192.168.2.3:49693 -> 220.158.200.104:587
                  Source: global trafficTCP traffic: 192.168.2.3:49693 -> 220.158.200.104:587
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DPVGsz.com
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
                  Source: cvtres.exe, 00000001.00000002.512904675.0000000006C3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.ocpi.com.my
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ocsp.thawte.com0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://www.mozilla.com/0
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: https://www.thawte.com/cps0
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownDNS traffic detected: queries for: mail.ocpi.com.my

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 1.0.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.2.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E6A280
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E61B91
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E67340
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E68F18
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E670C8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E634A8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E62581
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E642C9
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E642D8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E656A8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E662B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E656B8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E6A270
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E68E4B
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E66250
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E67E29
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E633A7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E63371
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E67331
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E68F11
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E654C0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E654B9
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E670B9
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E60448
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E67571
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EEF080
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EE6120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EE02C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EEF3C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EEF3BD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_092FB880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_092F2A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_092F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A124A78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A127890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A12A3E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A12C660
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A123179
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000000.241242875.0000000000B42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKDJFKRKNM.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.247124284.00000000030E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEyKexzPXsluZXTkVHsPL.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEyKexzPXsluZXTkVHsPL.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeBinary or memory string: OriginalFilenameKDJFKRKNM.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: invalid certificate
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeVirustotal: Detection: 25%
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe "C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: KDJFKRKNM.pdb source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E63049 push BD9C45C7h; iretd
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: real checksum: 0x484c1 should be: 0x41179
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.743635131824094
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe TID: 6032Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6128Thread sleep time: -8301034833169293s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6132Thread sleep count: 9572 > 30
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 9572
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ADsCAAB2AAARFhMLONYAAAAAEQsfCf4BLAYWKh8KEwsAEQsZ/gEsBgQUURoTCwARCxj+ASwGAxRRGRMLABELGv4BLA4gACAAAI0vAAABCxsTCwARCxv+ASwGFhMEHBMLABELHP4BLAkgACAAAAwdEwsAEQse/gEsFQIgAAAAgCjzAgAGKOoAAAYmHwkTCwARCxf+ASwDGBMLABELHwr+ASwgEQQNAgd0DAAAGxEECBZvuQEAChMGEQYWMzAWKh8LEwsAEQsd/gEsBwgWM9QeEwsAEQsW/gEsAxcTCwARCx8L/gEsAisFOCX///8RBBEG1hMECBEG2gwHdAwAABsWCRnaKLoBAAoRBBIAKM8AAAYsuAMoowAACgd0DAAAGxYGb9sAAApREQQGOxQBAAARBAbaEwcEEQcX2hfWjS8AAAFRFNCCAAABKBQAAAooVQIABhuNBwAAARMIEQgWBygRAAAKohEIFwaMUQAAAaIRCBgEUKIRCBkWjFEAAAGiEQgaEQeMUQAAAaIRCBM
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.247647159.00000000048D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %GiEQgaEQeMUQ
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %kWjFEAAAGiEQgaEQeMUQAAAaIRC
                  Source: cvtres.exe, 00000001.00000003.271596448.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.514945881.0000000009DA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 436000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 438000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 6E4008
                  .NET source code references suspicious native API functions
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
                  Source: 0.0.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.b40000.0.unpack, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
                  Source: 1.0.cvtres.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.3.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.2.cvtres.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.2.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.1.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception311
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		111
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares1
                  Data from Local System                  		Automated Exfiltration1
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer11
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information                  		Cached Domain Credentials114
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe25%VirustotalBrowse
                  SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe100%AviraTR/Dropper.MSIL.Gen
                  SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  1.0.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  1.0.cvtres.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                  1.2.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  1.0.cvtres.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                  0.0.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.b40000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.0.cvtres.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                  1.0.cvtres.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  mail.ocpi.com.my1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://mail.ocpi.com.my1%VirustotalBrowse
                  http://mail.ocpi.com.my100%Avira URL Cloudmalware
                  http://ocsp.thawte.com00%URL Reputationsafe
                  http://DPVGsz.com0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.ocpi.com.my
                  		220.158.200.104
                  		truefalseunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://mail.ocpi.com.mycvtres.exe, 00000001.00000002.512904675.0000000006C3F000.00000004.00000800.00020000.00000000.sdmptrue
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://cs-g2-crl.thawte.com/ThawteCSG2.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                    		high
                    http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                      		high
                      http://crl.thawte.com/ThawtePCA.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                        		high
                        http://ocsp.thawte.com0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://DPVGsz.comcvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwcvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/Psicvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%%startupfolder%cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://crl.thawte.com/ThawtePremiumServerCA.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                          		high
                          https://www.thawte.com/cps0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                            		high
                            https://api.ipify.org%cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://www.mozilla.com/0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              220.158.200.104
                              		mail.ocpi.com.myMalaysia
                              		55720GIGABIT-MYGigabitHostingSdnBhdMYfalse

                              General Information

                              Joe Sandbox Version:35.0.0 Citrine
                              Analysis ID:680462
                              Start date and time: 08/08/202216:34:082022-08-08 16:34:08 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 7m 4s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910 (renamed file extension from 21910 to exe)
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 98%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              16:35:10API Interceptor1x Sleep call for process: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe modified
                              16:35:13API Interceptor797x Sleep call for process: cvtres.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):226
                              Entropy (8bit):5.3467126928258955
                              Encrypted:false
                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                              MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                              SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                              SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                              SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.610837446996928
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              • Win32 Executable (generic) a (10002005/4) 49.97%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                              File size:252208
                              MD5:836deaf4e5b11b7ed1a46fea5850b33a
                              SHA1:4ef5dd4bde33a08e5c17da867ee4d14090673317
                              SHA256:a83b4422cdae1748849530513cad3dae8e7ccee4f1117e696a4542156f1ae9e7
                              SHA512:23bc084df7cf3e6ca758b2787f5cb08ed9f4b63c6e7025461e41840a441f9f61e429570fadafb6247571c42c59634f2e7c8226974a4ae9ede80adc5c82d76bec
                              SSDEEP:6144:xi8lykGCl8Wymm0GcqwDhgBx2mtJwy7Aj:Nw5CPRGcqsgBx2cJwy7C
                              TLSH:93349CF8765375CFC50BC8728AA84C64AA607CB7570BD103E45336DEAD5DA9B8F090A3
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0..X...D......Nw... ........@.. ....................................`................................

                              File Icon

                              Icon Hash:74ecc4d0f0e8ccc4

                              Static PE Info

                              General

                              Entrypoint:0x43774e
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x62F0CDFE [Mon Aug 8 08:49:02 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
                              Signature Validation Error:The digital signature of the object did not verify
                              Error Number:-2146869232
                              Not Before, Not After
                              • 10/17/2012 5:00:00 PM 10/18/2013 4:59:59 PM
                              Subject Chain
                              • CN=Mozilla Corporation, OU=Release Engineering, O=Mozilla Corporation, L=Mountain View, S=California, C=US
                              Version:3
                              Thumbprint MD5:D686ED3797F476F0769F99DF2B0BCE73
                              Thumbprint SHA-1:CAC47DBF634D24E9DC93072FE3C8EA6DC3946E89
                              Thumbprint SHA-256:046B93E2298C5D45FB097329D2A7778302298B842664E3EBA261FF617D586F37
                              Serial:3DA9386C2076F738EE246BB8E313A4D4

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x376f40x57.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x418e.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x3bb980x1d98
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x376b00x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x357540x35800False0.8646548262266355data7.743635131824094IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x380000x418e0x4200False0.1376065340909091data3.022311948175261IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x3e0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x381a00x468GLS_BINARY_LSB_FIRST
                              RT_ICON0x386080x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                              RT_ICON0x396b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                              RT_GROUP_ICON0x3bc580x30data
                              RT_VERSION0x3bc880x31cdata
                              RT_MANIFEST0x3bfa40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 8, 2022 16:35:19.212708950 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:19.480614901 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:19.480779886 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:20.197417021 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:20.197813034 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:20.465657949 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:20.477567911 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:20.745781898 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:20.746294022 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:21.053112984 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.238497972 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.292165995 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.400872946 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.668661118 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.668735027 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.669408083 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.669513941 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.692826986 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.960593939 CEST58749693220.158.200.104192.168.2.3

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 8, 2022 16:35:19.148879051 CEST5157853192.168.2.38.8.8.8
                              Aug 8, 2022 16:35:19.171308994 CEST53515788.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Aug 8, 2022 16:35:19.148879051 CEST192.168.2.38.8.8.80x937bStandard query (0)mail.ocpi.com.myA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Aug 8, 2022 16:35:19.171308994 CEST8.8.8.8192.168.2.30x937bNo error (0)mail.ocpi.com.my220.158.200.104A (IP address)IN (0x0001)

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Aug 8, 2022 16:35:20.197417021 CEST58749693220.158.200.104192.168.2.3220-lion2.sfdns.net ESMTP Exim 4.95 #2 Mon, 08 Aug 2022 22:35:20 +0800
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              Aug 8, 2022 16:35:20.197813034 CEST49693587192.168.2.3220.158.200.104EHLO 358075
                              Aug 8, 2022 16:35:20.465657949 CEST58749693220.158.200.104192.168.2.3250-lion2.sfdns.net Hello 358075 [102.129.143.3]
                              250-SIZE 104857600
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              Aug 8, 2022 16:35:20.477567911 CEST49693587192.168.2.3220.158.200.104AUTH login c3lsdmFpbmJhcmlsQG9jcGkuY29tLm15
                              Aug 8, 2022 16:35:20.745781898 CEST58749693220.158.200.104192.168.2.3334 UGFzc3dvcmQ6
                              Aug 8, 2022 16:35:23.238497972 CEST58749693220.158.200.104192.168.2.3535 Incorrect authentication data
                              Aug 8, 2022 16:35:23.400872946 CEST49693587192.168.2.3220.158.200.104MAIL FROM:<sylvainbaril@ocpi.com.my>
                              Aug 8, 2022 16:35:23.668735027 CEST58749693220.158.200.104192.168.2.3550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:16:35:09
                              Start date:08/08/2022
                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe"
                              Imagebase:0xb40000
                              File size:252208 bytes
                              MD5 hash:836DEAF4E5B11B7ED1A46FEA5850B33A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              General

                              Target ID:1
                              Start time:16:35:10
                              Start date:08/08/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              Imagebase:0xa60000
                              File size:43176 bytes
                              MD5 hash:C09985AE74F0882F208D75DE27770DFA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate

                              Disassembly

                              No disassembly