Windows Analysis Report
LisectAVT_2403002A_35.exe

Overview

General Information

Sample name: LisectAVT_2403002A_35.exe
Analysis ID: 1482318
MD5: 292b38ef1365ee19ef46925535305891
SHA1: 4e7d964212b15097bc867935dae6ab71b72ec6fc
SHA256: 81794c637b54a673f7e5af3f1f0aeb3479e9279b6870c07caa0a380ea7ad1dce
Tags: DarkTortillaexe
Infos:

Detection

AgentTesla, DarkTortilla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_35.exe Avira: detected
Found malware configuration
Source: LisectAVT_2403002A_35.exe.7756.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.rusticpensiune.ro", "Username": "FTPAdmin@rusticpensiune.ro", "Password": "99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_35.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_35.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_35.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:62221 -> 185.146.87.128:54603
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.146.87.128 185.146.87.128
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GTSCEGTSCentralEuropeAntelGermanyCZ GTSCEGTSCentralEuropeAntelGermanyCZ
Uses FTP
Source: unknown FTP traffic detected: 185.146.87.128:21 -> 192.168.2.8:62220 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: ftp.rusticpensiune.ro
Source: LisectAVT_2403002A_35.exe String found in binary or memory: http://api.radioreference.com/soap2
Source: RegAsm.exe, 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2660172800.00000000030AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.rusticpensiune.ro
Source: RegAsm.exe, 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LisectAVT_2403002A_35.exe String found in binary or memory: http://www.radioreference.com/apps/register/
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, 8AYyiOU7.cs .Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, 8AYyiOU7.cs .Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, 8AYyiOU7.cs .Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, 8AYyiOU7.cs .Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, 8AYyiOU7.cs .Net Code: _7y2ZauGs

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02779BA8 CreateProcessAsUserW, 0_2_02779BA8
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_00E67978 0_2_00E67978
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_00E69CD8 0_2_00E69CD8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0277A248 0_2_0277A248
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02774AFB 0_2_02774AFB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02774048 0_2_02774048
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_027728E0 0_2_027728E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02773210 0_2_02773210
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02773200 0_2_02773200
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02778378 0_2_02778378
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02772B78 0_2_02772B78
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02777BB9 0_2_02777BB9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0277E390 0_2_0277E390
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02772B80 0_2_02772B80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02773878 0_2_02773878
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02773869 0_2_02773869
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02770040 0_2_02770040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02774038 0_2_02774038
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02770007 0_2_02770007
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02776800 0_2_02776800
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_027728D0 0_2_027728D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_027779C0 0_2_027779C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_027779B1 0_2_027779B1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0277EE10 0_2_0277EE10
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_027767F0 0_2_027767F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02776798 0_2_02776798
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05A410AC 0_2_05A410AC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05A4ADFC 0_2_05A4ADFC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05A4CD20 0_2_05A4CD20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05A4CD10 0_2_05A4CD10
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CD22B8 0_2_05CD22B8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CDD1FB 0_2_05CDD1FB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CDD200 0_2_05CDD200
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE2488 0_2_05CE2488
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE2483 0_2_05CE2483
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEC3B0 0_2_05CEC3B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_072F1C68 0_2_072F1C68
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730AF69 0_2_0730AF69
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730B938 0_2_0730B938
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_07308C31 0_2_07308C31
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730A840 0_2_0730A840
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730C848 0_2_0730C848
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730EFB3 0_2_0730EFB3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730EB90 0_2_0730EB90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730EB80 0_2_0730EB80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730D6F0 0_2_0730D6F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730D6E0 0_2_0730D6E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730E2E8 0_2_0730E2E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730E2D8 0_2_0730E2D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730E958 0_2_0730E958
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730E95C 0_2_0730E95C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730B180 0_2_0730B180
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730E5DB 0_2_0730E5DB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_07309C00 0_2_07309C00
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_07300007 0_2_07300007
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730C80D 0_2_0730C80D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730A80F 0_2_0730A80F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_07300040 0_2_07300040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_0730CC88 0_2_0730CC88
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_072F1C4F 0_2_072F1C4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_054D9400 6_2_054D9400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_054DD060 6_2_054DD060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_054D3E40 6_2_054D3E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_054D9BB0 6_2_054D9BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_054D4A58 6_2_054D4A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_054D4188 6_2_054D4188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_064156D8 6_2_064156D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_06413F40 6_2_06413F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0641DC20 6_2_0641DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0641BCF0 6_2_0641BCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_06412AF0 6_2_06412AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_06418B80 6_2_06418B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_06410040 6_2_06410040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_06414FF8 6_2_06414FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_06413240 6_2_06413240
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2125558779.0000000007560000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8SH.dll, vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9f5f3d95-0f9a-4fca-99d3-94ce8fa4a2b9.exe4 vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000000.1408033059.0000000000166000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameONUMUJURUEKELE240322.exeP vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9f5f3d95-0f9a-4fca-99d3-94ce8fa4a2b9.exe4 vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2111675749.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe Binary or memory string: OriginalFilenameONUMUJURUEKELE240322.exeP vs LisectAVT_2403002A_35.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_35.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: LisectAVT_2403002A_35.exe, Fb7r9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, pedwBeAo9.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, Mi6W.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, s0nDliRGT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, UGDeyt2ww1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, xpue.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, u4JW9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_35.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: LisectAVT_2403002A_35.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LisectAVT_2403002A_35.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe "C:\Users\user\Desktop\LisectAVT_2403002A_35.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: LisectAVT_2403002A_35.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LisectAVT_2403002A_35.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: LisectAVT_2403002A_35.exe Static file information: File size 1062923 > 1048576
Source: LisectAVT_2403002A_35.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x102e00
Source: LisectAVT_2403002A_35.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3b219f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3b219f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.53c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.53c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2112490398.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
.NET source code contains method to dynamically call methods (often used by packers)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs .Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Eg0b.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_00E6D99F push 5D0C50FFh; ret 0_2_00E6D99C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_02777414 push edi; retf 0_2_02777415
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05A37798 push eax; retf 0_2_05A37799
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CD88CB push eax; iretd 0_2_05CD8919
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEE5EB pushfd ; retf 0_2_05CEE5F2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE140B push es; retf 0_2_05CE1412
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE1407 push es; retf 0_2_05CE140A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE979B push edi; retf 0_2_05CE97A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE9799 push edi; retf 0_2_05CE979A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEA773 pushad ; retf 0_2_05CEA77A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEA771 pushad ; retf 0_2_05CEA772
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE9718 push edi; retf 0_2_05CE971A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE96E9 push esi; retf 0_2_05CE96EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE96B3 push esi; retf 0_2_05CE96BA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE96B0 push esi; retf 0_2_05CE96B2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE9621 push esi; retf 0_2_05CE9622
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEE1DB pushfd ; retf 0_2_05CEE392
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE91E9 push edx; retf 0_2_05CE91EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE9123 push ecx; retf 0_2_05CE912A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEE39B pushfd ; retf 0_2_05CEE5EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE1351 push es; retf 0_2_05CE1352
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE2364 push eax; retf 0_2_05CE3911
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE1373 push es; retf 0_2_05CE137A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE1370 push es; retf 0_2_05CE1372
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE8DBF push eax; retf 0_2_05CE8E12
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE8F23 push eax; retf 0_2_05CE8F2A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE8F20 push eax; retf 0_2_05CE8F22
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE8EF0 push eax; retf 0_2_05CE8EF2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEA913 pushad ; retf 0_2_05CEA91A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CE9809 push edi; retf 0_2_05CE980A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Code function: 0_2_05CEE813 push 9805CB9Dh; iretd 0_2_05CEE81D
Source: LisectAVT_2403002A_35.exe Static PE information: section name: .text entropy: 6.948309386213313
Source: LisectAVT_2403002A_35.exe, Zi62.cs High entropy of concatenated method names: 'Yg1', 'c5R', 'o7A', 'p2K', 'r9S', 'j4H', 'Eq7', 'Di1', 'Df2', 'Qe4'
Source: LisectAVT_2403002A_35.exe, Ze52.cs High entropy of concatenated method names: 'SetWindowPos', 'ShellExecute', 'c3AF', 'Jm93', 'o2N8', 'Pm15', 'Cn6o', 'w7ZT', 'Ee6g', 'd7F4'
Source: LisectAVT_2403002A_35.exe, Fb7r9.cs High entropy of concatenated method names: 'Ya5f8', 'y7E4Z', 'r9YQy', 'e7WJb', 'Mg7c1', 't9E7W', 'f6', 'Do', 'x7', 'Km'

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe File opened: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: 2900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: 2700000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: 7E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: 8E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: 9040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: A040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: A3F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: B3F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 3050000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2DA0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Window / User API: threadDelayed 8749 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Window / User API: threadDelayed 1118 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe TID: 8044 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe TID: 8044 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Thread delayed: delay time: 30000 Jump to behavior
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_35.exe, 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxTray
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: RegAsm.exe, 00000006.00000002.2664566925.00000000062E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F03008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 756, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 756, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 756, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482318 Sample: LisectAVT_2403002A_35.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 17 ftp.rusticpensiune.ro 2->17 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 7 other signatures 2->27 7 LisectAVT_2403002A_35.exe 3 2->7         started        signatures3 process4 file5 15 C:\Users\...\LisectAVT_2403002A_35.exe.log, ASCII 7->15 dropped 29 Writes to foreign memory regions 7->29 31 Allocates memory in foreign processes 7->31 33 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->33 35 Injects a PE file into a foreign processes 7->35 11 RegAsm.exe 15 2 7->11         started        signatures6 process7 dnsIp8 19 ftp.rusticpensiune.ro 185.146.87.128, 21, 54603, 62220 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 11->19 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->39 41 Tries to steal Mail credentials (via file / registry access) 11->41 43 2 other signatures 11->43 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.146.87.128
 ftp.rusticpensiune.ro Romania
5588 GTSCEGTSCentralEuropeAntelGermanyCZ true

Contacted Domains

Name IP Active
ftp.rusticpensiune.ro 185.146.87.128 true