Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Analysis ID:756189
MD5:f976242274e3a8b6859f43212321e5cd
SHA1:4de5d552dd1a3a7e2eb57a831d1819ada42b53ae
SHA256:49aa45b9a4eb9642dc458e079196600823bc99b49c9003b4327261ba47b3ae7d
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • cleanup
{"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}
SourceRuleDescriptionAuthorStrings
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x306fd:$a3: MailAccountConfiguration
      • 0x30716:$a5: SmtpAccountConfiguration
      • 0x306dd:$a8: set_BindingAccountConfiguration
      • 0x2f67c:$a11: get_securityProfile
      • 0x2f51d:$a12: get_useSeparateFolderTree
      • 0x30e4f:$a13: get_DnsResolver
      • 0x2f92c:$a14: get_archivingScope
      • 0x2f754:$a15: get_providerName
      • 0x31e2a:$a17: get_priority
      • 0x31401:$a18: get_advancedParameters
      • 0x30817:$a19: get_disabledByRestriction
      • 0x2f2f6:$a20: get_LastAccessed
      • 0x2f9c6:$a21: get_avatarType
      • 0x31518:$a22: get_signaturePresets
      • 0x2ffbc:$a23: get_enableLog
      • 0x2f7d1:$a26: set_accountName
      • 0x31963:$a27: set_InternalServerPort
      • 0x2ec90:$a28: set_bindingConfigurationUID
      • 0x314de:$a29: set_IdnAddress
      • 0x31cde:$a30: set_GuidMasterKey
      • 0x2f82c:$a31: set_username
      00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 13 entries
          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x2e5b8:$s1: get_kbok
              • 0x2eefb:$s2: get_CHoo
              • 0x2fb49:$s3: set_passwordIsSet
              • 0x2e3bc:$s4: get_enableLog
              • 0x32a1c:$s8: torbrowser
              • 0x313f8:$s10: logins
              • 0x30d70:$s11: credential
              • 0x2d7e1:$g1: get_Clipboard
              • 0x2d7ef:$g2: get_Keyboard
              • 0x2d7fc:$g3: get_Password
              • 0x2ed9a:$g4: get_CtrlKeyDown
              • 0x2edaa:$g5: get_ShiftKeyDown
              • 0x2edbb:$g6: get_AltKeyDown
              0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2eafd:$a3: MailAccountConfiguration
              • 0x2eb16:$a5: SmtpAccountConfiguration
              • 0x2eadd:$a8: set_BindingAccountConfiguration
              • 0x2da7c:$a11: get_securityProfile
              • 0x2d91d:$a12: get_useSeparateFolderTree
              • 0x2f24f:$a13: get_DnsResolver
              • 0x2dd2c:$a14: get_archivingScope
              • 0x2db54:$a15: get_providerName
              • 0x3022a:$a17: get_priority
              • 0x2f801:$a18: get_advancedParameters
              • 0x2ec17:$a19: get_disabledByRestriction
              • 0x2d6f6:$a20: get_LastAccessed
              • 0x2ddc6:$a21: get_avatarType
              • 0x2f918:$a22: get_signaturePresets
              • 0x2e3bc:$a23: get_enableLog
              • 0x2dbd1:$a26: set_accountName
              • 0x2fd63:$a27: set_InternalServerPort
              • 0x2d090:$a28: set_bindingConfigurationUID
              • 0x2f8de:$a29: set_IdnAddress
              • 0x300de:$a30: set_GuidMasterKey
              • 0x2dc2c:$a31: set_username
              1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 26 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeReversingLabs: Detection: 24%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeVirustotal: Detection: 30%Perma Link
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeAvira: detected
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeJoe Sandbox ML: detected
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Source: Yara matchFile source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://PcwsIt.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com_
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiva
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comue9
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252922345.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/aCo
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510896649.0000000002AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.csLarge array initialization: .cctor: array initializer size 11778
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_00E7C1F40_2_00E7C1F4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_00E7E6400_2_00E7E640
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_00E7E6500_2_00E7E650
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_070F38B00_2_070F38B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_070F38C00_2_070F38C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_072B001A0_2_072B001A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_072B00400_2_072B0040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C2C8481_2_00C2C848
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C226181_2_00C22618
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C21FF01_2_00C21FF0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C2F5B01_2_00C2F5B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C29DB81_2_00C29DB8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4CB001_2_00C4CB00
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C494701_2_00C49470
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C44C0C1_2_00C44C0C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C435501_2_00C43550
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4A8E01_2_00C4A8E0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4E0E81_2_00C4E0E8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C400401_2_00C40040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C40BA81_2_00C40BA8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F94E601_2_00F94E60
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F9B0E81_2_00F9B0E8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F965801_2_00F96580
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E46A01_2_010E46A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E45B01_2_010E45B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E46721_2_010E4672
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E46901_2_010E4690
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000000.241444260.0000000000512000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.300732780.0000000007100000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.506084189.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.284033383.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeBinary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeReversingLabs: Detection: 24%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeVirustotal: Detection: 30%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.511302808.0000000002B11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.510000.0.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_070F0015 push eax; iretd 0_2_070F0016
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C27A37 push edi; retn 0000h1_2_00C27A39
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4DA58 pushfd ; ret 1_2_00C4DA59
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C47DC9 push 8BFFFFFFh; retf 1_2_00C47DD8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F90434 push eax; ret 1_2_00F90442
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F9A651 push es; ret 1_2_00F9A67E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F90DD0 push 3C00F8CBh; retf 1_2_00F90DD5
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: 0xC6C06793 [Sat Aug 31 17:29:55 2075 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.59561068934023
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME