Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Analysis ID:756005
MD5:d55d9c72b27c17af9a53847bec4dad00
SHA1:dbfa157d95af9d351b7051802e5e80a0a78daa05
SHA256:36143d6674053884d6bf2ce1e5bc8dd6f31b9d6b4d2fae272e37ac5649d00520
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • cleanup
{"C2 url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendMessage"}
{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocumentsendMessage?chat_id=document"}
SourceRuleDescriptionAuthorStrings
00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31109:$a3: MailAccountConfiguration
      • 0x31122:$a5: SmtpAccountConfiguration
      • 0x310e9:$a8: set_BindingAccountConfiguration
      • 0x30057:$a11: get_securityProfile
      • 0x2fef8:$a12: get_useSeparateFolderTree
      • 0x3184c:$a13: get_DnsResolver
      • 0x30307:$a14: get_archivingScope
      • 0x3012f:$a15: get_providerName
      • 0x32837:$a17: get_priority
      • 0x31e0b:$a18: get_advancedParameters
      • 0x31223:$a19: get_disabledByRestriction
      • 0x2fcce:$a20: get_LastAccessed
      • 0x303a1:$a21: get_avatarType
      • 0x31f22:$a22: get_signaturePresets
      • 0x309c8:$a23: get_enableLog
      • 0x301ac:$a26: set_accountName
      • 0x3236d:$a27: set_InternalServerPort
      • 0x2f63d:$a28: set_bindingConfigurationUID
      • 0x31ee8:$a29: set_IdnAddress
      • 0x326eb:$a30: set_GuidMasterKey
      • 0x30207:$a31: set_username
      00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_f2a90d14unknownunknown
      • 0x3dd4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
      00000000.00000002.364684955.000000000300C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 18 entries
        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
            • 0x2efc4:$s1: get_kbok
            • 0x2f8f8:$s2: get_CHoo
            • 0x30553:$s3: set_passwordIsSet
            • 0x2edc8:$s4: get_enableLog
            • 0x33519:$s8: torbrowser
            • 0x31ef5:$s10: logins
            • 0x317c3:$s11: credential
            • 0x2e1bc:$g1: get_Clipboard
            • 0x2e1ca:$g2: get_Keyboard
            • 0x2e1d7:$g3: get_Password
            • 0x2f7a6:$g4: get_CtrlKeyDown
            • 0x2f7b6:$g5: get_ShiftKeyDown
            • 0x2f7c7:$g6: get_AltKeyDown
            0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
            • 0x2f509:$a3: MailAccountConfiguration
            • 0x2f522:$a5: SmtpAccountConfiguration
            • 0x2f4e9:$a8: set_BindingAccountConfiguration
            • 0x2e457:$a11: get_securityProfile
            • 0x2e2f8:$a12: get_useSeparateFolderTree
            • 0x2fc4c:$a13: get_DnsResolver
            • 0x2e707:$a14: get_archivingScope
            • 0x2e52f:$a15: get_providerName
            • 0x30c37:$a17: get_priority
            • 0x3020b:$a18: get_advancedParameters
            • 0x2f623:$a19: get_disabledByRestriction
            • 0x2e0ce:$a20: get_LastAccessed
            • 0x2e7a1:$a21: get_avatarType
            • 0x30322:$a22: get_signaturePresets
            • 0x2edc8:$a23: get_enableLog
            • 0x2e5ac:$a26: set_accountName
            • 0x3076d:$a27: set_InternalServerPort
            • 0x2da3d:$a28: set_bindingConfigurationUID
            • 0x302e8:$a29: set_IdnAddress
            • 0x30aeb:$a30: set_GuidMasterKey
            • 0x2e607:$a31: set_username
            0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpackWindows_Trojan_AgentTesla_f2a90d14unknownunknown
            • 0x21d4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
            Click to see the 30 entries
            No Sigma rule has matched
            Timestamp:192.168.2.5149.154.167.220497094432851779 11/29/22-13:52:27.896928
            SID:2851779
            Source Port:49709
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeReversingLabs: Detection: 34%
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeVirustotal: Detection: 27%Perma Link
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeJoe Sandbox ML: detected
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocumentsendMessage?chat_id=document"}
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3096.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendMessage"}
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49709 -> 149.154.167.220:443
            Source: unknownDNS query: name: api.telegram.org
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://UEYOBD.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588988783.00000000030AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.592198535.0000000006B10000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588649521.0000000003056000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dv3SXfHRU1tFUjfcDW.net
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000003.325953219.00000000010EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com8
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocument
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocumentdocument-----
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: api.telegram.org

            System Summary

            barindex
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d5072c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d32f5c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
            Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
            Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
            Source: 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEEE02A64u002dA051u002d4832u002d8500u002dBCB6E03153A3u007d/u003277DE882u002dD82Fu002d4CFAu002d82FDu002d8DA69792B4E8.csLarge array initialization: .cctor: array initializer size 12005
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d5072c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d32f5c.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
            Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
            Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
            Source: 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_00FDC1640_2_00FDC164
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_00FDE5B00_2_00FDE5B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_00FDE5A10_2_00FDE5A1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD49480_2_02CD4948
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD493B0_2_02CD493B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_076100400_2_07610040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_076100060_2_07610006
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_010819701_2_01081970
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_0108B9F01_2_0108B9F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_01085FDC1_2_01085FDC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_0108EBE01_2_0108EBE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_01088E311_2_01088E31
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_01083EF81_2_01083EF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_02D247A01_2_02D247A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_02D23E581_2_02D23E58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_02D247101_2_02D24710
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_02D247301_2_02D24730
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_05F875381_2_05F87538
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_05F894F81_2_05F894F8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_05F869201_2_05F86920
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_05F86C681_2_05F86C68
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_010800401_2_01080040
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejMwFIuasQmBRssQfxHWfZPad.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXanU.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.361380481.0000000002D11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.361380481.0000000002D11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.361380481.0000000002D11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejMwFIuasQmBRssQfxHWfZPad.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.370119547.00000000073D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000000.357615147.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejMwFIuasQmBRssQfxHWfZPad.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.585579631.00000000011CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeBinary or memory string: OriginalFilenameXanU.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeReversingLabs: Detection: 34%
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeVirustotal: Detection: 27%
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/0
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588624388.0000000003051000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeString found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeString found in binary or memory: Username:-AddusertextBoxUsernameCash
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_00FDF972 pushad ; iretd 0_2_00FDF979
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD0365 push es; retf 0_2_02CD0366
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDA319 push esi; iretd 0_2_02CDA31A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDA31B push esi; iretd 0_2_02CDA322
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDA0F9 push ebp; iretd 0_2_02CDA0FA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDA188 push esi; iretd 0_2_02CDA18A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDA18B push esi; iretd 0_2_02CDA192
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDADEF pushad ; iretd 0_2_02CDADF2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD5478 push ecx; retf 0_2_02CD5486
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDF401 push ecx; ret 0_2_02CDF415
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CDBAE3 push 691402CFh; iretd 0_2_02CDBAEA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD3A40 push ds; iretd 0_2_02CD3A42
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD3A21 push ds; iretd 0_2_02CD3A22
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD9E89 push eax; iretd 0_2_02CD9E8A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD9E90 push eax; iretd 0_2_02CD9E92
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD9EB8 push esp; iretd 0_2_02CD9EBA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 0_2_02CD9EBB push esp; iretd 0_2_02CD9EC2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_0108DDF1 push FFFFFF83h; ret 1_2_0108DDF3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_0108D761 pushad ; iretd 1_2_0108D75D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_0108DEDF push FFFFFF83h; ret 1_2_0108DEE1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeCode function: 1_2_0108D6E9 pushad ; iretd 1_2_0108D75D
            Source: initial sampleStatic PE information: section name: .text entropy: 7.661127653184342
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeProcess information set: NOOPENFILE