Windows Analysis Report
Arrival Notice CIA INV.exe

Overview

General Information

Sample name: Arrival Notice CIA INV.exe
Analysis ID: 1416054
MD5: 3e106abbfe0c2a9909ddf61528e91f1d
SHA1: f650705c7f784edc4aa97c2539713ed4483491df
SHA256: 4658db261066122d0f627ac3452a3dbc06dea0c458f706a7be9f615a0f00995d
Tags: exeHUN
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Arrival Notice CIA INV.exe Avira: detected
Found malware configuration
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.fedcraw.org.za", "Username": "nadmin@fedcraw.org.za", "Password": "nadmin@2018"}
Multi AV Scanner detection for submitted file
Source: Arrival Notice CIA INV.exe ReversingLabs: Detection: 52%
Machine Learning detection for sample
Source: Arrival Notice CIA INV.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Arrival Notice CIA INV.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Arrival Notice CIA INV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49699 -> 65.181.111.239:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49699 -> 65.181.111.239:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mail.fedcraw.org.za
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedcraw.org.za
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.fedcraw.org.za
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4526322993.00000000066E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4526322993.00000000066E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Arrival Notice CIA INV.exe, 00000000.00000002.2065862174.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4521841177.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, NDL2m67zO.cs .Net Code: nKofB6C
Source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.raw.unpack, NDL2m67zO.cs .Net Code: nKofB6C
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Arrival Notice CIA INV.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Arrival Notice CIA INV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Arrival Notice CIA INV.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00D8DC14 0_2_00D8DC14
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00F219C0 0_2_00F219C0
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00F20040 0_2_00F20040
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00F20011 0_2_00F20011
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00F219B0 0_2_00F219B0
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00F2411C 0_2_00F2411C
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_02AB9368 2_2_02AB9368
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_02AB4A98 2_2_02AB4A98
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_02AB9B28 2_2_02AB9B28
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_02AB3E80 2_2_02AB3E80
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_02ABCE98 2_2_02ABCE98
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_02AB41C8 2_2_02AB41C8
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F56E8 2_2_061F56E8
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F3F58 2_2_061F3F58
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061FBCF8 2_2_061FBCF8
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F9AD8 2_2_061F9AD8
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F2AF0 2_2_061F2AF0
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F8B90 2_2_061F8B90
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F0040 2_2_061F0040
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F3250 2_2_061F3250
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 2_2_061F5008 2_2_061F5008
Sample file is different than original file name gathered from version info
Source: Arrival Notice CIA INV.exe, 00000000.00000002.2065862174.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename0ca88bbc-5aff-44dc-98a3-41f6d03519e2.exe4 vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe, 00000000.00000002.2065862174.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe, 00000000.00000002.2071070950.0000000005D00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe, 00000000.00000002.2063972636.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe, 00000000.00000002.2065432353.0000000002960000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename0ca88bbc-5aff-44dc-98a3-41f6d03519e2.exe4 vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4522022647.0000000000D69000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4521841177.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename0ca88bbc-5aff-44dc-98a3-41f6d03519e2.exe4 vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dll vs Arrival Notice CIA INV.exe
Source: Arrival Notice CIA INV.exe Binary or memory string: OriginalFilenamePIiJ.exe> vs Arrival Notice CIA INV.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Section loaded: edputil.dll Jump to behavior
Uses 32bit PE files
Source: Arrival Notice CIA INV.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Arrival Notice CIA INV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Arrival Notice CIA INV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, YjrFZXPQlT2NQWPl3H.cs Security API names: _0020.SetAccessControl
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, YjrFZXPQlT2NQWPl3H.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, YjrFZXPQlT2NQWPl3H.cs Security API names: _0020.AddAccessRule
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, esEYgF8HoRATGuQB6y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, YjrFZXPQlT2NQWPl3H.cs Security API names: _0020.SetAccessControl
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, YjrFZXPQlT2NQWPl3H.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, YjrFZXPQlT2NQWPl3H.cs Security API names: _0020.AddAccessRule
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, esEYgF8HoRATGuQB6y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Arrival Notice CIA INV.exe.2941cc0.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Arrival Notice CIA INV.exe.297889c.5.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Arrival Notice CIA INV.exe.4ee0000.11.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Arrival Notice CIA INV.exe.2939ca8.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Arrival Notice CIA INV.exe.2997a74.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Arrival Notice CIA INV.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Mutant created: NULL
Source: Arrival Notice CIA INV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Arrival Notice CIA INV.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Arrival Notice CIA INV.exe ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Users\user\Desktop\Arrival Notice CIA INV.exe "C:\Users\user\Desktop\Arrival Notice CIA INV.exe"
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process created: C:\Users\user\Desktop\Arrival Notice CIA INV.exe "C:\Users\user\Desktop\Arrival Notice CIA INV.exe"
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process created: C:\Users\user\Desktop\Arrival Notice CIA INV.exe "C:\Users\user\Desktop\Arrival Notice CIA INV.exe" Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Arrival Notice CIA INV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Arrival Notice CIA INV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Arrival Notice CIA INV.exe, --.cs .Net Code: _0002
Source: 0.2.Arrival Notice CIA INV.exe.4dd0000.10.raw.unpack, wehuuoKhMKMbnQu72K.cs .Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, YjrFZXPQlT2NQWPl3H.cs .Net Code: L3BVsTcBN6 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, YjrFZXPQlT2NQWPl3H.cs .Net Code: L3BVsTcBN6 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00D8F188 push eax; iretd 0_2_00D8F189
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00D8D83E pushad ; ret 0_2_00D8D841
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Code function: 0_2_00F21815 push esi; retf 0_2_00F2181E
Source: Arrival Notice CIA INV.exe Static PE information: section name: .text entropy: 7.9810610493817125
Source: 0.2.Arrival Notice CIA INV.exe.4dd0000.10.raw.unpack, kdFvaMFVPKs73pA7Ae.cs High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 0.2.Arrival Notice CIA INV.exe.4dd0000.10.raw.unpack, DD.cs High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 0.2.Arrival Notice CIA INV.exe.4dd0000.10.raw.unpack, ihWImL1h2qjtIkVYDh.cs High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 0.2.Arrival Notice CIA INV.exe.4dd0000.10.raw.unpack, oImfMJtvGUo8fMQNBQ.cs High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 0.2.Arrival Notice CIA INV.exe.4dd0000.10.raw.unpack, wehuuoKhMKMbnQu72K.cs High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, odtX4Nb12GfjIcpLecD.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vNftDGGPVP', 'e5St7QhgBY', 'gSgtKeB5FP', 'sXNtS51i1P', 'kqft0IWg89', 'sGItmV5rpX', 'k0ptHutSLG'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, ka0wdY3VncPOm8nZjG.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm6nvgyVFKf', 'Bt1vBDjrwE', 'paCvzXyLpL', 'OVs1jA3BLs', 'naA1bDJnO3', 'kL91vTPpxT', 'BHB11v5imD', 'TNGWhOjscW605NhCOlV'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, MCRwZaZQ43qS1UcoW9.cs High entropy of concatenated method names: 'tbmOnevfgD', 'F2MO3MwBpV', 'dmtOl29Bbw', 'chAlB8DbMj', 'L7PlzW0JDM', 'X8nOjghpaF', 'v4WOb9dNQF', 'SAoOvcq5OD', 'ieiO1d2yas', 'TfwOVBu05v'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, HutrbTBXXXXcm0GP1e.cs High entropy of concatenated method names: 'qX7NbNSiTh', 'cU3N1qg0pf', 'w56NVEVOYO', 'Qs0NnjhFEc', 'MW4NhKkSae', 'jMFNkbhCKP', 'yx8NlyA3Qu', 'hQBJHJ6Pc0', 'cgXJRHhJG9', 'OZhJg3hGZY'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, bEC19fhqVTo6FEsoE2.cs High entropy of concatenated method names: 'Dispose', 'Rx9bgPoYtu', 'IP9v2RK3fU', 'crFOO4LNF6', 'i2KbBcrAyX', 'cqIbzKY3Cl', 'ProcessDialogKey', 'eFUvjRCa45', 'adSvbt72ra', 'QsvvvMutrb'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, o1W8iM42gxKlHDvpwq.cs High entropy of concatenated method names: 'brvkx58OK1', 'FMNkUHRZkI', 'Uwn3MXpRi0', 'r3u3T3Uo3M', 'zTd3rKF5Dp', 'm423Eqv8rV', 'CmW3Z1HSnx', 'D513es5XID', 'cD63aJYCvx', 'g1b3yyaaFn'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, CRCa45gjdSt72raosv.cs High entropy of concatenated method names: 'fnTJItuPd4', 'TPdJ2E33At', 'GSmJMmOIjJ', 'GbYJTdJKMM', 'yilJDYrmwt', 'B6MJrv1EpS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, M6pwctoGsl3mEPTsKp.cs High entropy of concatenated method names: 'sFrC8lrqe4', 'AuCCiSfQ1G', 'D7ACIsjRPR', 'k6YC2Y2KIs', 'EUiCTYEJiJ', 'LaFCrABY5B', 'RXECZ2L20c', 'ABQCeB9Pa1', 'lHECyqdQe1', 'mXtCYPrLd7'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, iAJHlLzqD1Algto1Ki.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'POSNCBifgx', 'jplNLqY3AG', 'bsMNw9gSL9', 'RxQNWAtDUM', 'GTdNJPSn0b', 'fAqNNmt0Fu', 'MgXNtIdyTD'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, YjrFZXPQlT2NQWPl3H.cs High entropy of concatenated method names: 'h0Z1Ftnxpm', 'sy81nHCc1Q', 'NP11hJHRZg', 'AS913b90Of', 'd6C1kRJNs8', 'vxc1lgSG37', 'Ogf1OsR3IH', 'C041PXehl5', 'h7b1cVk6AS', 'kqf1GWobWk'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, CSijhdvyMSL0nhTw4Q.cs High entropy of concatenated method names: 'CQssXTIbk', 'rC7QvlfZE', 'htAqCW1Cn', 'TbHUV5aEi', 'GIui9JsvX', 'CA74Do42g', 'jGkbmBeynroVPuO8em', 'UqLTRwZ3rZZw6GDw3b', 'QmhJvmoeC', 'kA0tCkq9r'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, ekr9Dm21lmrx12035s.cs High entropy of concatenated method names: 'TyeKXa7EgPljE64U2KM', 'BLXbsQ7ctkDPGH655yt', 'SfJvd97BktHXmdP6KvP', 'pHglJ2Nu10', 'WrulNkcW5n', 'JskltjX3UE', 'hqNlCd7qGybp9cLtveg', 'Om4vUJ7588ULfmCRAn3'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, Rf24gNmVeRtSG9VMBP.cs High entropy of concatenated method names: 'DWtWRt2J3Z', 'eLVWBJQMGY', 'jCSJjkgpKy', 'BBwJbqqiCu', 'DXEWYZ3qEZ', 'toeWuD6CUP', 'd42WocrmBB', 'WZ4WDcoT18', 'WsUW7FVrWT', 'p0uWKjihZK'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, NvRLPBVDTJC3rW47MO.cs High entropy of concatenated method names: 'HLFbOsEYgF', 'WoRbPATGuQ', 'qt4bG3KmQ6', 'sPHb6lL1W8', 'RvpbLwqBxq', 'b9bbww8Z5t', 'EXmOBr3kPXUb5LWXmZ', 'ltNS1nkUV25WiMolU3', 'UgCbb9AaPw', 'OkVb1JucfJ'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, NigW78KaKmN560cV96.cs High entropy of concatenated method names: 'ToString', 'rSkwYIKDme', 'zjVw2Iq5gD', 'RiiwMePcTp', 'JdqwT5dflV', 'KFtwrecc0S', 'NlYwEE1G2U', 'FNkwZE60S5', 'qu3weeMQv7', 'cfNwaDZw3U'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, MRbj1xaTxxGIvZYcyG.cs High entropy of concatenated method names: 'xbvOAAxrvO', 'qg5Opv6iWy', 'plNOseAcNc', 'M3yOQZvypF', 'A3gOxEsUB5', 'mlFOqOMs97', 'BEOOUc2lKZ', 'BPFO8X3J0x', 'a9FOi9mcUN', 'CkCO40xNUX'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, mgy6ERbjQ7rsOAKVgj1.cs High entropy of concatenated method names: 'H7RNAnkbeX', 'fR2NpKGsQH', 'DuONsuIKmg', 'gw4NQCrIn2', 'K4pNxCjuTZ', 'BXANq7mYTl', 'L5CNU51kJg', 'wfXN8IqpJD', 'o2wNisJS7H', 'kWeN4GUfR1'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, GKcrAyRX1qIKY3ClFF.cs High entropy of concatenated method names: 'iJXJnlgMYn', 'b6HJhISgGL', 'KXwJ3gKEuL', 'F4cJkKSRNh', 't6rJlwI1YE', 'NjZJOvIAw4', 'vUvJP6ejf0', 'UBHJcMPNY8', 'XjBJGqUJDR', 'D3EJ6ICr0w'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, esEYgF8HoRATGuQB6y.cs High entropy of concatenated method names: 'QwghDRqGWW', 'yLjh7CITPj', 'NEghKpx1PF', 'H0XhS2knl2', 'RMBh0vm74B', 'khkhmPG0p8', 'vFjhHok3B3', 'iDphRgFDyn', 'A8bhgP8h9s', 'IqahB8wv26'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, Yxqb9bIw8Z5tPCvd7I.cs High entropy of concatenated method names: 'KpXlF27UDB', 'S1TlhWDFiG', 'lFNlkTVXaW', 'PL7lOuxTFT', 'N08lPvOkZ1', 'BlVk0KgHhl', 'PovkmH44fR', 'LJ7kH0XkBf', 'mnWkRRdW45', 'UOpkgXHJNt'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, PhOOxWit43KmQ6NPHl.cs High entropy of concatenated method names: 'KD43Qcxq7b', 'vuI3qPtdgf', 'Iyk38K6ycR', 'rPU3iWLYEZ', 'rs23Lhi5b4', 'JiL3wwSwcE', 'nMi3WfYRtg', 'q2s3JyMt9k', 'C0s3N63uUv', 'QLd3tviM3v'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, bIUcY2DxtP2ba6XEkF.cs High entropy of concatenated method names: 'z2ZLy8l7Tb', 'ERWLuW2AJw', 'qUTLDggunJ', 'GM2L7CxQhQ', 'VP7L2mlm4c', 'KQLLMOT9gw', 'yhCLTytSbB', 'JmnLrLeEsy', 'nNTLEUf8Ig', 'vfGLZc35HY'
Source: 0.2.Arrival Notice CIA INV.exe.3cf5110.8.raw.unpack, rjg8ZESw0U2rjQnG3m.cs High entropy of concatenated method names: 'g5pWG49ZtC', 'foXW60DPpI', 'ToString', 'tJAWnc6UYD', 'fwtWhmO6iV', 'FVRW3TwpM6', 'i57WkrViBG', 'iOUWl7AJl9', 'BpCWOQspvv', 'UgeWPV1aCF'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, odtX4Nb12GfjIcpLecD.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vNftDGGPVP', 'e5St7QhgBY', 'gSgtKeB5FP', 'sXNtS51i1P', 'kqft0IWg89', 'sGItmV5rpX', 'k0ptHutSLG'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, ka0wdY3VncPOm8nZjG.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm6nvgyVFKf', 'Bt1vBDjrwE', 'paCvzXyLpL', 'OVs1jA3BLs', 'naA1bDJnO3', 'kL91vTPpxT', 'BHB11v5imD', 'TNGWhOjscW605NhCOlV'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, MCRwZaZQ43qS1UcoW9.cs High entropy of concatenated method names: 'tbmOnevfgD', 'F2MO3MwBpV', 'dmtOl29Bbw', 'chAlB8DbMj', 'L7PlzW0JDM', 'X8nOjghpaF', 'v4WOb9dNQF', 'SAoOvcq5OD', 'ieiO1d2yas', 'TfwOVBu05v'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, HutrbTBXXXXcm0GP1e.cs High entropy of concatenated method names: 'qX7NbNSiTh', 'cU3N1qg0pf', 'w56NVEVOYO', 'Qs0NnjhFEc', 'MW4NhKkSae', 'jMFNkbhCKP', 'yx8NlyA3Qu', 'hQBJHJ6Pc0', 'cgXJRHhJG9', 'OZhJg3hGZY'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, bEC19fhqVTo6FEsoE2.cs High entropy of concatenated method names: 'Dispose', 'Rx9bgPoYtu', 'IP9v2RK3fU', 'crFOO4LNF6', 'i2KbBcrAyX', 'cqIbzKY3Cl', 'ProcessDialogKey', 'eFUvjRCa45', 'adSvbt72ra', 'QsvvvMutrb'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, o1W8iM42gxKlHDvpwq.cs High entropy of concatenated method names: 'brvkx58OK1', 'FMNkUHRZkI', 'Uwn3MXpRi0', 'r3u3T3Uo3M', 'zTd3rKF5Dp', 'm423Eqv8rV', 'CmW3Z1HSnx', 'D513es5XID', 'cD63aJYCvx', 'g1b3yyaaFn'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, CRCa45gjdSt72raosv.cs High entropy of concatenated method names: 'fnTJItuPd4', 'TPdJ2E33At', 'GSmJMmOIjJ', 'GbYJTdJKMM', 'yilJDYrmwt', 'B6MJrv1EpS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, M6pwctoGsl3mEPTsKp.cs High entropy of concatenated method names: 'sFrC8lrqe4', 'AuCCiSfQ1G', 'D7ACIsjRPR', 'k6YC2Y2KIs', 'EUiCTYEJiJ', 'LaFCrABY5B', 'RXECZ2L20c', 'ABQCeB9Pa1', 'lHECyqdQe1', 'mXtCYPrLd7'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, iAJHlLzqD1Algto1Ki.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'POSNCBifgx', 'jplNLqY3AG', 'bsMNw9gSL9', 'RxQNWAtDUM', 'GTdNJPSn0b', 'fAqNNmt0Fu', 'MgXNtIdyTD'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, YjrFZXPQlT2NQWPl3H.cs High entropy of concatenated method names: 'h0Z1Ftnxpm', 'sy81nHCc1Q', 'NP11hJHRZg', 'AS913b90Of', 'd6C1kRJNs8', 'vxc1lgSG37', 'Ogf1OsR3IH', 'C041PXehl5', 'h7b1cVk6AS', 'kqf1GWobWk'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, CSijhdvyMSL0nhTw4Q.cs High entropy of concatenated method names: 'CQssXTIbk', 'rC7QvlfZE', 'htAqCW1Cn', 'TbHUV5aEi', 'GIui9JsvX', 'CA74Do42g', 'jGkbmBeynroVPuO8em', 'UqLTRwZ3rZZw6GDw3b', 'QmhJvmoeC', 'kA0tCkq9r'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, ekr9Dm21lmrx12035s.cs High entropy of concatenated method names: 'TyeKXa7EgPljE64U2KM', 'BLXbsQ7ctkDPGH655yt', 'SfJvd97BktHXmdP6KvP', 'pHglJ2Nu10', 'WrulNkcW5n', 'JskltjX3UE', 'hqNlCd7qGybp9cLtveg', 'Om4vUJ7588ULfmCRAn3'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, Rf24gNmVeRtSG9VMBP.cs High entropy of concatenated method names: 'DWtWRt2J3Z', 'eLVWBJQMGY', 'jCSJjkgpKy', 'BBwJbqqiCu', 'DXEWYZ3qEZ', 'toeWuD6CUP', 'd42WocrmBB', 'WZ4WDcoT18', 'WsUW7FVrWT', 'p0uWKjihZK'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, NvRLPBVDTJC3rW47MO.cs High entropy of concatenated method names: 'HLFbOsEYgF', 'WoRbPATGuQ', 'qt4bG3KmQ6', 'sPHb6lL1W8', 'RvpbLwqBxq', 'b9bbww8Z5t', 'EXmOBr3kPXUb5LWXmZ', 'ltNS1nkUV25WiMolU3', 'UgCbb9AaPw', 'OkVb1JucfJ'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, NigW78KaKmN560cV96.cs High entropy of concatenated method names: 'ToString', 'rSkwYIKDme', 'zjVw2Iq5gD', 'RiiwMePcTp', 'JdqwT5dflV', 'KFtwrecc0S', 'NlYwEE1G2U', 'FNkwZE60S5', 'qu3weeMQv7', 'cfNwaDZw3U'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, MRbj1xaTxxGIvZYcyG.cs High entropy of concatenated method names: 'xbvOAAxrvO', 'qg5Opv6iWy', 'plNOseAcNc', 'M3yOQZvypF', 'A3gOxEsUB5', 'mlFOqOMs97', 'BEOOUc2lKZ', 'BPFO8X3J0x', 'a9FOi9mcUN', 'CkCO40xNUX'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, mgy6ERbjQ7rsOAKVgj1.cs High entropy of concatenated method names: 'H7RNAnkbeX', 'fR2NpKGsQH', 'DuONsuIKmg', 'gw4NQCrIn2', 'K4pNxCjuTZ', 'BXANq7mYTl', 'L5CNU51kJg', 'wfXN8IqpJD', 'o2wNisJS7H', 'kWeN4GUfR1'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, GKcrAyRX1qIKY3ClFF.cs High entropy of concatenated method names: 'iJXJnlgMYn', 'b6HJhISgGL', 'KXwJ3gKEuL', 'F4cJkKSRNh', 't6rJlwI1YE', 'NjZJOvIAw4', 'vUvJP6ejf0', 'UBHJcMPNY8', 'XjBJGqUJDR', 'D3EJ6ICr0w'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, esEYgF8HoRATGuQB6y.cs High entropy of concatenated method names: 'QwghDRqGWW', 'yLjh7CITPj', 'NEghKpx1PF', 'H0XhS2knl2', 'RMBh0vm74B', 'khkhmPG0p8', 'vFjhHok3B3', 'iDphRgFDyn', 'A8bhgP8h9s', 'IqahB8wv26'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, Yxqb9bIw8Z5tPCvd7I.cs High entropy of concatenated method names: 'KpXlF27UDB', 'S1TlhWDFiG', 'lFNlkTVXaW', 'PL7lOuxTFT', 'N08lPvOkZ1', 'BlVk0KgHhl', 'PovkmH44fR', 'LJ7kH0XkBf', 'mnWkRRdW45', 'UOpkgXHJNt'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, PhOOxWit43KmQ6NPHl.cs High entropy of concatenated method names: 'KD43Qcxq7b', 'vuI3qPtdgf', 'Iyk38K6ycR', 'rPU3iWLYEZ', 'rs23Lhi5b4', 'JiL3wwSwcE', 'nMi3WfYRtg', 'q2s3JyMt9k', 'C0s3N63uUv', 'QLd3tviM3v'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, bIUcY2DxtP2ba6XEkF.cs High entropy of concatenated method names: 'z2ZLy8l7Tb', 'ERWLuW2AJw', 'qUTLDggunJ', 'GM2L7CxQhQ', 'VP7L2mlm4c', 'KQLLMOT9gw', 'yhCLTytSbB', 'JmnLrLeEsy', 'nNTLEUf8Ig', 'vfGLZc35HY'
Source: 0.2.Arrival Notice CIA INV.exe.5d00000.12.raw.unpack, rjg8ZESw0U2rjQnG3m.cs High entropy of concatenated method names: 'g5pWG49ZtC', 'foXW60DPpI', 'ToString', 'tJAWnc6UYD', 'fwtWhmO6iV', 'FVRW3TwpM6', 'i57WkrViBG', 'iOUWl7AJl9', 'BpCWOQspvv', 'UgeWPV1aCF'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Arrival Notice CIA INV.exe PID: 716, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 2910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 5D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 6D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 6FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 7FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 2AB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 2CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: 2B10000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199890 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199781 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199672 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199437 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199094 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198984 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198875 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198766 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198656 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198547 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198437 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198328 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198219 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198109 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198000 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197890 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197781 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197630 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197500 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197391 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Window / User API: threadDelayed 8637 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Window / User API: threadDelayed 1216 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 2020 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 4080 Thread sleep count: 8637 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 4080 Thread sleep count: 1216 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99558s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -99016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -98078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1199094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1198000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1197890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1197781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1197630s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1197500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe TID: 1080 Thread sleep time: -1197391s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99672 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99558 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99344 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99125 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 99016 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98547 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98438 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98313 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98188 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 98078 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97969 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97844 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97734 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97625 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97516 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97406 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199890 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199781 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199672 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199437 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1199094 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198984 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198875 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198766 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198656 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198547 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198437 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198328 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198219 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198109 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1198000 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197890 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197781 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197630 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197500 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Thread delayed: delay time: 1197391 Jump to behavior
Source: Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Memory written: C:\Users\user\Desktop\Arrival Notice CIA INV.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Process created: C:\Users\user\Desktop\Arrival Notice CIA INV.exe "C:\Users\user\Desktop\Arrival Notice CIA INV.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Users\user\Desktop\Arrival Notice CIA INV.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Users\user\Desktop\Arrival Notice CIA INV.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Arrival Notice CIA INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4523380175.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4523380175.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4521841177.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4523380175.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065862174.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Arrival Notice CIA INV.exe PID: 716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Arrival Notice CIA INV.exe PID: 6060, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice CIA INV.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Arrival Notice CIA INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4521841177.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4523380175.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065862174.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Arrival Notice CIA INV.exe PID: 716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Arrival Notice CIA INV.exe PID: 6060, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Arrival Notice CIA INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3c2bd50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Arrival Notice CIA INV.exe.3bf1330.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4523380175.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4523380175.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4521841177.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4523380175.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065862174.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Arrival Notice CIA INV.exe PID: 716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Arrival Notice CIA INV.exe PID: 6060, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416054 Sample: Arrival Notice CIA INV.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 100 14 mail.fedcraw.org.za 2->14 16 fedcraw.org.za 2->16 20 Found malware configuration 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 9 other signatures 2->26 7 Arrival Notice CIA INV.exe 3 2->7         started        signatures3 process4 signatures5 28 Injects a PE file into a foreign processes 7->28 10 Arrival Notice CIA INV.exe 2 7->10         started        process6 dnsIp7 18 fedcraw.org.za 65.181.111.239, 49699, 587 FORTRESSITXUS United States 10->18 30 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->30 32 Tries to steal Mail credentials (via file / registry access) 10->32 34 Tries to harvest and steal browser information (history, passwords, etc) 10->34 36 Installs a global keyboard hook 10->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
65.181.111.239
 fedcraw.org.za United States
25653 FORTRESSITXUS false

Contacted Domains

Name IP Active
fedcraw.org.za 65.181.111.239 true
mail.fedcraw.org.za unknown unknown