Windows Analysis Report
payment copy.exe

Overview

General Information

Sample Name:	payment copy.exe
Analysis ID:	756033
MD5:	52fcd3f3cb7f0eaacc6cc393ba9313da
SHA1:	5a7304f89ce6525e0449ffdf0022f5114d181680
SHA256:	eeabb0a04ea59624d05185afbbf4a1c8e5db554c0c325871c4c0ac5de34c5547
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: payment copy.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Source: payment copy.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.payment copy.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.payment copy.exe.474a140.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "host39.registrar-servers.com", "Username": "Emenike@potashin.us", "Password": "})cZs aj5Xr; C"}

Uses 32bit PE files

Source: payment copy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: payment copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 68.65.122.214 68.65.122.214

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 68.65.122.214:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 68.65.122.214:587

Source: payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: payment copy.exe, 00000001.00000002.541820691.000000000674E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.542427252.0000000006E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: payment copy.exe, 00000001.00000002.541820691.000000000674E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: WdFVsOe.exe, 0000000F.00000003.392037383.0000000006E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://host39.registrar-servers.com
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com09
Source: WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vpDUpe.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment copy.exe, 00000000.00000003.249126135.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comig
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comypo
Source: payment copy.exe, 00000000.00000003.250990543.000000000631E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.co
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment copy.exe, 00000000.00000003.250921715.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250791703.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250690710.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250751911.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250850742.000000000631E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8&
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersdF-
Source: payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldwatR8
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: payment copy.exe, 00000000.00000003.247675536.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cndf
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnht
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnn
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment copy.exe, 00000000.00000003.250243768.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250205326.00000000062DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.95n
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: payment copy.exe, 00000000.00000003.246833567.00000000062E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn0
Source: payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.m
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wINwvqrEjRpr.net
Source: WdFVsOe.exe, 0000000C.00000002.532509205.000000000357A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wINwvqrEjRpr.net8
Source: payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: host39.registrar-servers.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: payment copy.exe

.NET source code contains very large array initializations

Source: 1.0.payment copy.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB9A5F9D9u002d8564u002d4959u002dB9E5u002d6870FE15AC73u007d/u0033C0419E1u002d8030u002d4D25u002dB25Eu002d1005A86CEC6B.cs

Large array initialization: .cctor: array initializer size 10947

Uses 32bit PE files

Source: payment copy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Detected potential crypto function

Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AFBEA	0_2_018AFBEA
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AC164	0_2_018AC164
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AE5A2	0_2_018AE5A2
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AE5B0	0_2_018AE5B0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_07FA0040	0_2_07FA0040
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_07FA0006	0_2_07FA0006
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0319FAA0	1_2_0319FAA0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCC5AA	1_2_05BCC5AA
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BC29F8	1_2_05BC29F8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BC0910	1_2_05BC0910
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BC0040	1_2_05BC0040
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCD318	1_2_05BCD318
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684076B	1_2_0684076B
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684A598	1_2_0684A598
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068452E8	1_2_068452E8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684C2F0	1_2_0684C2F0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06847F88	1_2_06847F88
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06842F78	1_2_06842F78
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06845CB8	1_2_06845CB8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068467A9	1_2_068467A9
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684C240	1_2_0684C240
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068420D0	1_2_068420D0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684D0D3	1_2_0684D0D3
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06846FB8	1_2_06846FB8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06846DC8	1_2_06846DC8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06914A60	1_2_06914A60
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_069115CD	1_2_069115CD
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_069153C8	1_2_069153C8
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_0142C164	11_2_0142C164
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_0142E5A2	11_2_0142E5A2
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_0142E5B0	11_2_0142E5B0
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_07480040	11_2_07480040
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_07480006	11_2_07480006

Sample file is different than original file name gathered from version info

Source: payment copy.exe, 00000000.00000000.243677634.000000000104E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameoghF.exeB vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.267575287.0000000007D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe, 00000001.00000002.508740371.00000000012F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs payment copy.exe
Source: payment copy.exe, 00000001.00000000.259132151.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe	Binary or memory string: OriginalFilenameoghF.exeB vs payment copy.exe

Source: payment copy.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WdFVsOe.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: payment copy.exe

ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\payment copy.exe

File read: C:\Users\user\Desktop\payment copy.exe

Source: unknown	Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe
Source: C:\Users\user\Desktop\payment copy.exe	Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\Desktop\payment copy.exe	Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: payment copy.exe, 00000001.00000002.532660218.00000000035D2000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.532455798.0000000003575000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531618020.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: payment copy.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\payment copy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: payment copy.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: payment copy.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 1.0.payment copy.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.payment copy.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\payment copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AF972 pushad ; iretd	0_2_018AF979
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCEEA3 push edi; retf	1_2_05BCEEA6
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCEAF4 push es; iretd	1_2_05BCEAF7
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068418F7 push es; retf	1_2_0684193C
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419C7 push es; retf	1_2_068419C8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419CF push es; retf	1_2_068419D0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419CB push es; retf	1_2_068419CC
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419D7 push es; retf	1_2_068419D8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419D3 push es; retf	1_2_068419D4
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684197B push es; retf	1_2_0684197C

Source: initial sample	Static PE information: section name: .text entropy: 7.672485147748669
Source: initial sample	Static PE information: section name: .text entropy: 7.672485147748669

Source: C:\Users\user\Desktop\payment copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe			Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe			Jump to behavior

Source: Yara match	File source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 5864, type: MEMORYSTR

Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.337625854.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.337625854.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\payment copy.exe TID: 6052	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 6048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 5208	Thread sleep count: 9815 > 30	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99850s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99612s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98934s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98825s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98694s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98574s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98150s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97715s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97276s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2064	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2384	Thread sleep count: 9733 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99856s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98915s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98527s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97905s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97465s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 3408	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5164	Thread sleep count: 9634 > 30
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99869s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99749s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99529s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99047s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98929s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98468s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98140s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97780s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97671s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97546s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97437s >= -30000s

Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\payment copy.exe	Window / User API: threadDelayed 9815	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Window / User API: threadDelayed 9733	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Window / User API: threadDelayed 9634

Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99850	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99612	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99499	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98934	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98825	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98694	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98574	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98150	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98046	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97827	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97715	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97608	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97499	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97276	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99856	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98915	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98527	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97905	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97465	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99869
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99749
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99529
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99047
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98929
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98468
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98140
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97780
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97671
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97546
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97437

Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: Yara match	File source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 2728, type: MEMORYSTR

Source: C:\Users\user\Desktop\payment copy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

ID:	756033
Product:	CloudBasic
Start time:	14:54:07
Start date:	29.11.2022
Sample:	payment copy.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	52fcd3f3cb7f0eaacc6cc393ba9313da
SHA1:	5a7304f89ce6525e0449ffdf0022f5114d181680
SHA256:	eeabb0a04ea59624d05185afbbf4a1c8e5db554c0c325871c4c0ac5de34c5547
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report payment copy.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
payment copy.exe

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WdFVsOe.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment copy.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	52FCD3F3CB7F0EAACC6CC393BA9313DA	5A7304F89CE6525E0449FFDF0022F5114D181680	EEABB0A04EA59624D05185AFBBF4A1C8E5DB554C0C325871C4C0AC5DE34C5547
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309