Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.corpsa.net", "Username": "newusd@corpsa.net", "Password": "ko=8J2,OjDt,"} |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
ReversingLabs: Detection: 34% |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Virustotal: Detection: 31% |
Perma Link |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: |
Binary string: wntdll.pdbUGP source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00614696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00614696 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061C93C FindFirstFileW,FindClose, |
0_2_0061C93C |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_0061C9C7 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0061F200 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0061F35D |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0061F65E |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00613A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00613A2B |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00613D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00613D4E |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0061BF27 |
Source: Amcache.hve.5.dr |
String found in binary or memory: http://upx.sf.net |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0062425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_0062425A |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00624458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, |
0_2_00624458 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0062425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_0062425A |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00610219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, |
0_2_00610219 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0063CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_0063CDAC |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE |
Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen |
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: This is a third-party compiled AutoIt script. |
0_2_005B3B4C |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_b72b827d-1 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_073921b4-0 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_6587e6c3-3 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_e56e1a87-1 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00608858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, |
0_2_00608858 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005BE800 |
0_2_005BE800 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005DDBB5 |
0_2_005DDBB5 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0063804A |
0_2_0063804A |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005BE060 |
0_2_005BE060 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005C4140 |
0_2_005C4140 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D2405 |
0_2_005D2405 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E6522 |
0_2_005E6522 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00630665 |
0_2_00630665 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E267E |
0_2_005E267E |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005C6843 |
0_2_005C6843 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D283A |
0_2_005D283A |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E89DF |
0_2_005E89DF |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005C8A0E |
0_2_005C8A0E |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00630AE2 |
0_2_00630AE2 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E6A94 |
0_2_005E6A94 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0060EB07 |
0_2_0060EB07 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00618B13 |
0_2_00618B13 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005DCD61 |
0_2_005DCD61 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E7006 |
0_2_005E7006 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005C710E |
0_2_005C710E |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005C3190 |
0_2_005C3190 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B1287 |
0_2_005B1287 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D33C7 |
0_2_005D33C7 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005DF419 |
0_2_005DF419 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D16C4 |
0_2_005D16C4 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005C5680 |
0_2_005C5680 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D78D3 |
0_2_005D78D3 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005C58C0 |
0_2_005C58C0 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D1BB8 |
0_2_005D1BB8 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E9D05 |
0_2_005E9D05 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005BFE40 |
0_2_005BFE40 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D1FD0 |
0_2_005D1FD0 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005DBFE6 |
0_2_005DBFE6 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_01143660 |
0_2_01143660 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: String function: 005D0D27 appears 70 times |
|
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: String function: 005B7F41 appears 35 times |
|
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: String function: 005D8B40 appears 42 times |
|
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088931819.00000000036C3000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2087172339.0000000003BBD000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename06654b58-2932-4b00-baba-711656b1769c.exe4 vs Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload |
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, KLhJmaON.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, KLhJmaON.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 9HIFdl.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 9HIFdl.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00608713 AdjustTokenPrivileges,CloseHandle, |
0_2_00608713 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00608CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, |
0_2_00608CC3 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0062F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, |
0_2_0062F121 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, |
0_2_005B4FE9 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
ReversingLabs: Detection: 34% |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Virustotal: Detection: 31% |
Source: unknown |
Process created: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe" |
|
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe" |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 12 |
|
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: |
Binary string: wntdll.pdbUGP source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_005B4A35 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_006355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
0_2_006355FD |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005D33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_005D33C7 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00614696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00614696 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061C93C FindFirstFileW,FindClose, |
0_2_0061C93C |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_0061C9C7 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0061F200 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0061F35D |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0061F65E |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00613A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00613A2B |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00613D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00613D4E |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_0061BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0061BF27 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, |
0_2_005B4AFE |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.5.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.5.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.5.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.5.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20 |
Source: Amcache.hve.5.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.5.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.5.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.5.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.5.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.5.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.5.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: hgfsZrw6 |
Source: Amcache.hve.5.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.5.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.5.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.5.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.5.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.5.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.5.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.5.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.5.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, |
0_2_005B3B4C |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_005E5CCC |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_01143550 mov eax, dword ptr fs:[00000030h] |
0_2_01143550 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_011434F0 mov eax, dword ptr fs:[00000030h] |
0_2_011434F0 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_01141ED0 mov eax, dword ptr fs:[00000030h] |
0_2_01141ED0 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_006081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, |
0_2_006081F7 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005DA364 SetUnhandledExceptionFilter, |
0_2_005DA364 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005DA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_005DA395 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, |
0_2_005B3B4C |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_005B4A35 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_006081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, |
0_2_006081F7 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: Shell_TrayWnd |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_005E50D7 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005E418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, |
0_2_005E418A |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_005B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, |
0_2_005B4AFE |
Source: Amcache.hve.5.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.5.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.5.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.5.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe |
Source: Amcache.hve.5.dr |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5668, type: MEMORYSTR |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: WIN_81 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: WIN_XP |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: WIN_XPe |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: WIN_VISTA |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: WIN_7 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: WIN_8 |
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5668, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5668, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00626596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, |
0_2_00626596 |
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe |
Code function: 0_2_00626A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, |
0_2_00626A5A |