Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Analysis ID:756189
MD5:f976242274e3a8b6859f43212321e5cd
SHA1:4de5d552dd1a3a7e2eb57a831d1819ada42b53ae
SHA256:49aa45b9a4eb9642dc458e079196600823bc99b49c9003b4327261ba47b3ae7d
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x306fd:$a3: MailAccountConfiguration
      • 0x30716:$a5: SmtpAccountConfiguration
      • 0x306dd:$a8: set_BindingAccountConfiguration
      • 0x2f67c:$a11: get_securityProfile
      • 0x2f51d:$a12: get_useSeparateFolderTree
      • 0x30e4f:$a13: get_DnsResolver
      • 0x2f92c:$a14: get_archivingScope
      • 0x2f754:$a15: get_providerName
      • 0x31e2a:$a17: get_priority
      • 0x31401:$a18: get_advancedParameters
      • 0x30817:$a19: get_disabledByRestriction
      • 0x2f2f6:$a20: get_LastAccessed
      • 0x2f9c6:$a21: get_avatarType
      • 0x31518:$a22: get_signaturePresets
      • 0x2ffbc:$a23: get_enableLog
      • 0x2f7d1:$a26: set_accountName
      • 0x31963:$a27: set_InternalServerPort
      • 0x2ec90:$a28: set_bindingConfigurationUID
      • 0x314de:$a29: set_IdnAddress
      • 0x31cde:$a30: set_GuidMasterKey
      • 0x2f82c:$a31: set_username
      00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x2e5b8:$s1: get_kbok
              • 0x2eefb:$s2: get_CHoo
              • 0x2fb49:$s3: set_passwordIsSet
              • 0x2e3bc:$s4: get_enableLog
              • 0x32a1c:$s8: torbrowser
              • 0x313f8:$s10: logins
              • 0x30d70:$s11: credential
              • 0x2d7e1:$g1: get_Clipboard
              • 0x2d7ef:$g2: get_Keyboard
              • 0x2d7fc:$g3: get_Password
              • 0x2ed9a:$g4: get_CtrlKeyDown
              • 0x2edaa:$g5: get_ShiftKeyDown
              • 0x2edbb:$g6: get_AltKeyDown
              0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2eafd:$a3: MailAccountConfiguration
              • 0x2eb16:$a5: SmtpAccountConfiguration
              • 0x2eadd:$a8: set_BindingAccountConfiguration
              • 0x2da7c:$a11: get_securityProfile
              • 0x2d91d:$a12: get_useSeparateFolderTree
              • 0x2f24f:$a13: get_DnsResolver
              • 0x2dd2c:$a14: get_archivingScope
              • 0x2db54:$a15: get_providerName
              • 0x3022a:$a17: get_priority
              • 0x2f801:$a18: get_advancedParameters
              • 0x2ec17:$a19: get_disabledByRestriction
              • 0x2d6f6:$a20: get_LastAccessed
              • 0x2ddc6:$a21: get_avatarType
              • 0x2f918:$a22: get_signaturePresets
              • 0x2e3bc:$a23: get_enableLog
              • 0x2dbd1:$a26: set_accountName
              • 0x2fd63:$a27: set_InternalServerPort
              • 0x2d090:$a28: set_bindingConfigurationUID
              • 0x2f8de:$a29: set_IdnAddress
              • 0x300de:$a30: set_GuidMasterKey
              • 0x2dc2c:$a31: set_username
              1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 26 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeReversingLabs: Detection: 24%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeVirustotal: Detection: 30%Perma Link
                Antivirus / Scanner detection for submitted sample
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeAvira: detected
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeJoe Sandbox ML: detected
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://PcwsIt.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com_
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiva
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comue9
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252922345.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/aCo
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510896649.0000000002AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.csLarge array initialization: .cctor: array initializer size 11778
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_00E7C1F4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_00E7E640
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_00E7E650
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_070F38B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_070F38C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_072B001A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_072B0040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C2C848
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C22618
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C21FF0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C2F5B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C29DB8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4CB00
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C49470
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C44C0C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C43550
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4A8E0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4E0E8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C40040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C40BA8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F94E60
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F9B0E8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F96580
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E46A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E45B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E4672
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_010E4690
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000000.241444260.0000000000512000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.300732780.0000000007100000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.506084189.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.284033383.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeBinary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeReversingLabs: Detection: 24%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeVirustotal: Detection: 30%
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.511302808.0000000002B11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.510000.0.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 0_2_070F0015 push eax; iretd
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C27A37 push edi; retn 0000h
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4DA58 pushfd ; ret
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C47DC9 push 8BFFFFFFh; retf
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F90434 push eax; ret
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F9A651 push es; ret
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00F90DD0 push 3C00F8CBh; retf
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeStatic PE information: 0xC6C06793 [Sat Aug 31 17:29:55 2075 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.59561068934023
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 2888Thread sleep time: -38122s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 6076Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 3092Thread sleep time: -23058430092136925s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 3372Thread sleep count: 9862 > 30
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeWindow / User API: threadDelayed 9862
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeThread delayed: delay time: 38122
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeThread delayed: delay time: 922337203685477
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeCode function: 1_2_00C4C8C0 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe