Windows Analysis Report
LisectAVT_2403002A_19.exe

Overview

General Information

Sample name: LisectAVT_2403002A_19.exe
Analysis ID: 1482445
MD5: afb12495b0c9be1ad8acc1709ff5eb1e
SHA1: 425cdd67c93562d960e4f86d9dab43b735bf84e8
SHA256: 8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_19.exe Avira: detected
Found malware configuration
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "logs1@agceram.com", "Password": "Vo^vcAf9", "Host": "smtp.agceram.com"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_19.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_19.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: LisectAVT_2403002A_19.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_077CBD40

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 3.2.LisectAVT_2403002A_19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, type: UNPACKEDPE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: smtp.agceram.com replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: smtp.agceram.com
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://KMcLhe.com
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003718000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://b6QQBzu4tg.com
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://b6QQBzu4tg.comt-
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LisectAVT_2403002A_19.exe String found in binary or memory: http://www.phapsoftware.hotgoo.net
Source: LisectAVT_2403002A_19.exe String found in binary or memory: http://www.phapsoftware.hotgoo.net)C
Source: LisectAVT_2403002A_19.exe String found in binary or memory: http://www.phapsoftware.hotgoo.net:
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%4
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2135032484.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_19.exe, 00000003.00000002.4555380450.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.2.LisectAVT_2403002A_19.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 3.2.LisectAVT_2403002A_19.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000003.00000002.4555380450.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.2135032484.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 3924, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 2708, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 2708, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_0244E2E8 0_2_0244E2E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_0244C8F4 0_2_0244C8F4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_0244196C 0_2_0244196C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059C5650 0_2_059C5650
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059C5DB8 0_2_059C5DB8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059C88C8 0_2_059C88C8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B3C4F8 0_2_05B3C4F8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B3D580 0_2_05B3D580
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B30006 0_2_05B30006
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B30040 0_2_05B30040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_0706F700 0_2_0706F700
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_07062CBC 0_2_07062CBC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_07067870 0_2_07067870
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EA608 0_2_070EA608
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070E92B6 0_2_070E92B6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EB021 0_2_070EB021
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070E9E60 0_2_070E9E60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070E2E88 0_2_070E2E88
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EE6CE 0_2_070EE6CE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EE4BA 0_2_070EE4BA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EE4C0 0_2_070EE4C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EE228 0_2_070EE228
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EE222 0_2_070EE222
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EE012 0_2_070EE012
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EE020 0_2_070EE020
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070ECE40 0_2_070ECE40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070E9E5E 0_2_070E9E5E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070ECE50 0_2_070ECE50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070EDCA0 0_2_070EDCA0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070ED981 0_2_070ED981
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_070ED990 0_2_070ED990
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C1D68 0_2_077C1D68
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C99C0 0_2_077C99C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C884A 0_2_077C884A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C0FE0 0_2_077C0FE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C0FDD 0_2_077C0FDD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C3270 0_2_077C3270
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C3240 0_2_077C3240
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C6AE8 0_2_077C6AE8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C6EC8 0_2_077C6EC8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C7132 0_2_077C7132
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C7104 0_2_077C7104
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C2C48 0_2_077C2C48
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C2C38 0_2_077C2C38
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C64D8 0_2_077C64D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C70D3 0_2_077C70D3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C18A0 0_2_077C18A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_077C1890 0_2_077C1890
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016CA918 3_2_016CA918
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016CD32D 3_2_016CD32D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016C8338 3_2_016C8338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016CC338 3_2_016CC338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016C4EB0 3_2_016C4EB0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016C7F60 3_2_016C7F60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016C3330 3_2_016C3330
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_0175E500 3_2_0175E500
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_017528C8 3_2_017528C8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01757E5E 3_2_01757E5E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_0175B2E0 3_2_0175B2E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01754055 3_2_01754055
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_017540A8 3_2_017540A8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01757710 3_2_01757710
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_018447B4 3_2_018447B4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01845D08 3_2_01845D08
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_018469F1 3_2_018469F1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01845CC3 3_2_01845CC3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01911548 3_2_01911548
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01913420 3_2_01913420
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_01919140 3_2_01919140
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_0666C330 3_2_0666C330
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_06664018 3_2_06664018
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_066648E8 3_2_066648E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_06663CD0 3_2_06663CD0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_0666D090 3_2_0666D090
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2135032484.0000000003877000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000000.00000000.2095078039.000000000031C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTransform.exe> vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2133894157.000000000087E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2139898296.0000000007980000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemelMAmtZMwaCsjWTKCJLFbgvBrBIVp.exe4 vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2135032484.00000000035B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemelMAmtZMwaCsjWTKCJLFbgvBrBIVp.exe4 vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2139548814.00000000070C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4555380450.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemelMAmtZMwaCsjWTKCJLFbgvBrBIVp.exe4 vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4555594381.0000000001337000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_19.exe
Source: LisectAVT_2403002A_19.exe Binary or memory string: OriginalFilenameTransform.exe> vs LisectAVT_2403002A_19.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_19.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.2.LisectAVT_2403002A_19.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 3.2.LisectAVT_2403002A_19.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000003.00000002.4555380450.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.2135032484.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 3924, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 2708, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 2708, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: LisectAVT_2403002A_19.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LisectAVT_2403002A_19.exe, cH059DXZwiwMSJ2G47.cs Cryptographic APIs: 'CreateDecryptor'
Source: LisectAVT_2403002A_19.exe, cH059DXZwiwMSJ2G47.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_19.exe.log Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Mutant created: NULL
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Mutant created: \Sessions\1\BaseNamedObjects\NHrnrOpF
Source: LisectAVT_2403002A_19.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LisectAVT_2403002A_19.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_19.exe, 00000003.00000002.4558492296.00000000036C6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe "C:\Users\user\Desktop\LisectAVT_2403002A_19.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe "C:\Users\user\Desktop\LisectAVT_2403002A_19.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe "C:\Users\user\Desktop\LisectAVT_2403002A_19.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: LisectAVT_2403002A_19.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LisectAVT_2403002A_19.exe Static file information: File size 1353734 > 1048576
Source: LisectAVT_2403002A_19.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: LisectAVT_2403002A_19.exe, cH059DXZwiwMSJ2G47.cs .Net Code: bSDmNBc20XsjgSo7cL1(t1K8HKc62TdnTiDZSHE(16777449)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{bSDmNBc20XsjgSo7cL1(t1K8HKc62TdnTiDZSHE(16777271)),bSDmNBc20XsjgSo7cL1(t1K8HKc62TdnTiDZSHE(16777251))})
.NET source code contains potential unpacker
Source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, B.cs .Net Code: A System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_0244196C pushfd ; iretd 0_2_0244189A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059CB7BA push ss; retf 0_2_059CB7C6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059CB7F7 push ss; retf 0_2_059CB7C6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059CB3DA push ss; retf 0_2_059CB3E6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059CBC48 push ss; retf 0_2_059CBC56
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059CAFA2 push ss; retf 0_2_059CAFAE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_059C3E5F push ss; retf 0_2_059C3E6E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B361B2 push esp; ret 0_2_05B361B9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B333BF push cs; retf 0_2_05B333CE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B33978 push cs; retf 0_2_05B33986
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B35B48 push esp; retf 0_2_05B35B57
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B53DB9 push cs; retf 0_2_05B53DBB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B4FDA7 push 0C8D8BFFh; iretd 0_2_05B4FDAC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B4EDAD push cs; retf 0_2_05B4EDAE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B53D8D push cs; retf 0_2_05B53D8E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B525FE push cs; retf 0_2_05B525FF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B4EDE4 push cs; retf 0_2_05B4EDE5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B4FDE5 push cs; retf 0_2_05B4FDE7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B53D3E push ss; retf 0_2_05B53D40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B53538 push cs; retf 0_2_05B5353A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B5452D push cs; retf 0_2_05B5452F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B5052C push ss; retf 0_2_05B5052D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B5351B push cs; retf 0_2_05B5351D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B54D01 push cs; retf 0_2_05B54D02
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B5650C push cs; retf 0_2_05B5650D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B50575 push cs; retf 0_2_05B50576
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B4FD56 push cs; retf 0_2_05B4FD58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B53D56 push ss; retf 0_2_05B53D57
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B5454A push cs; retf 0_2_05B5454C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B55CBD push cs; retf 0_2_05B55CBF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 0_2_05B51CBB push cs; retf 0_2_05B51CBC
Source: LisectAVT_2403002A_19.exe Static PE information: section name: .text entropy: 7.467762882649221
Source: LisectAVT_2403002A_19.exe, cH059DXZwiwMSJ2G47.cs High entropy of concatenated method names: 'K6vBdJtEV9CtgiF4530', 'K43VbotkfxV3XGKTbI2', 'vA9qhjtrhDfhrGAGNQu', 'WuwJyZtC1yqYHqUdBJ4', 'xq44yGOdCs', 'EW59yAtLmGT2wOOw1yN', 'uDdCeAt1LxmphtCFHEf', 'uBoCq5tKrPeyXBcT0ST', 'd2Lk9XtmmG3ibUrqPNF', 'uvk6dDtOgEDxmtOQENJ'
Source: LisectAVT_2403002A_19.exe, mbgRn93H9fOEwNi84F.cs High entropy of concatenated method names: 'gpavuIes11', 'U7lvv7DE81', 'AlLvbEqqnF', 'q9RvJVabDm', 'RUdvdbmNa9', 'Vn9vDqVgXt', 'sVavSlFFFN', 'mfNvcM1Kev', 'EMKvsfn7hL', 'n2tv90WckO'
Source: LisectAVT_2403002A_19.exe, B0GaMFGWZVBKutsWoi.cs High entropy of concatenated method names: 'Y9M9nHSAgP', 'xCt9Yd93Hv', 'huh9HTvT4i', 'Pkm9lvRg9D', 'KIx92dUS3y', 'YUn9alya5E', 'Iea9L9MdKh', 'Oq5975mm0u', 'nCD9AeotIa', 'jVR9UfdQwE'
Source: LisectAVT_2403002A_19.exe, MySettings.cs High entropy of concatenated method names: 'AutoSaveSettings', 'PDspSdbGhXBl10f8eY', 'AwnGEFaOVq0AkHQfSj', 'sLpmOY2GZ73XIvN2MA', 'BSiQ1MQ7G7XGStQjTT', 'eJGd23BT1FU0NQutVJ', 'kXDDTIXfIy8gxsTheG', 'MByA9v887YvTBi88Os', 'QPO2JKWB2xgwsiRDDj', 'HM56sMVwPXTyLqKrKO'
Source: LisectAVT_2403002A_19.exe, kYSGbrwSsqJeCXa50u.cs High entropy of concatenated method names: 'yf4rbAM77', 'yW19v2yW1kyNTtI0of', 'qUuQrCd0BfbOCPuxgh', 'UsoLoB4JTp9mY53r8y', 'VaVkJ7mvBPnr9mTUYV', 'oF5bbMOFAISsIyHf8N', 'KkQSWrj9nvSnt5UHqm', 'Q6r6RvA3bTLEMVMBAH', 'rTyiif6lW5QnQaucP9'
Source: LisectAVT_2403002A_19.exe, EnybaQYZHUfl0AY4Kv.cs High entropy of concatenated method names: 'j0T9Zvjh2Z', 'QvB9m0ES8W', 'lH69X6Yix6', 'FolderExists', 'Vpg9VO8sPD', 'k99oHQ79wrylD9ywf3j', 'FB0WGK7RTqU5YvSZkn8', 'b4w8WY7GS9gJV7lrPoX', 'EkGqDA7lMB6yQPyVobi', 'UhMg0V7w5S5RqlcfOLD'
Source: LisectAVT_2403002A_19.exe, Iwar6LTVyLJIYNFeKq.cs High entropy of concatenated method names: 'eL1tej6pr', 'fwspAepvF', 'rmgzThSAa', 'mSjMNrJgQMa2rphhJy', 'nBJTWUIASttG8EpEJI', 'bXa0Bpq1igHJaxqtV7', 'm9e93nD2bFQMK7jDX6', 'qkiWGesOhosyoEWLEC', 'oUW6UyMcnU6tIicRkG', 'EqvJVrzdvkjRhZdkIf'
Source: LisectAVT_2403002A_19.exe, kkvskdfeYkTCGH4QCu.cs High entropy of concatenated method names: 'Dispose', 'WKb9uQT9Vb', 'knh9vMZOq7', 'MCd9bAwiqf', 'qkJ9JeZUgM', 'Fs1p3whAl2aAmiZ1nFd', 'ni6hJRh6oyorB6koGtN', 'sPHh6Jh2JWifSRRO1Zu', 'kDsPWIh4XbqxHn9bLCe', 'QfJjPBhjAQCpvGGub9J'
Source: LisectAVT_2403002A_19.exe, diRugZnHpoqLNbmiVS.cs High entropy of concatenated method names: 'uhXv6vMe8', 'OnCreateMainForm', 'crui29wf2R4wViCnQg', 'XoN2PrSJ2ptNOnXNtm', 'p61SJkTHwiDhooM9x9', 'RZFAhdgGTg4eqsRl9H', 'nldMgJHh78E71nWILm', 'Y8VhyvYEFadPh1NiEA', 'VBUWY5hOb20oKxnpc8', 'Vap7rqeCGNPD9VwiuV'
Source: LisectAVT_2403002A_19.exe, NCnVCRCOcqiIrEJ2Pu.cs High entropy of concatenated method names: 'Ho4hJYjReZ', 'XIIhDvpdRA', 'Equals', 'GetHashCode', 'u0chSCE64S', 'ToString', 'jSPGx87qHNGxeNr0bRB', 'hsBSf27Da93MQqJcApx', 'cHoEsg7vbNj9qB2rsCU', 'q9lfZ973o6DKKycg7hC'
Source: LisectAVT_2403002A_19.exe, epnHaRKKxYFXWgnn30.cs High entropy of concatenated method names: 'uxorhQaaj2S0j', 'cWVlx3cLBAC11E66TTw', 'TwHSvkc1tSnA3Ux0k0m', 'zxg0aicKmlkDakParkg', 'ytuRQpcpdEsx1WQBBFy', 'BGQOICcip7jN2oYhu5r', 'kWp4o2cmJ8YS0qv1fUN', 'K28E3scOK1PkS8yBc3h', 'c2Qkqbcyk8q5p2UxBDX', 'ydcG86cdEZ6S2hL708E'
Source: LisectAVT_2403002A_19.exe, mM8S6l48iXbmSiYJgF.cs High entropy of concatenated method names: 'bnS91NwTwQ', 'okE9wFLDU2', 'nBV9CtJvOk', 'e6M9r8DjQn', 'Pr79MlhNYn', 'A73ERP5iYp7bOlIKnAf', 'r26RP05LColFKafXCNQ', 'UIlr3251LytAd9CXBlb', 'SNgxYP5kCqhk1AVwHU9', 'w5LvtQ5puZmi7lUet0c'
Source: LisectAVT_2403002A_19.exe, dddyjkdWYYf4iuTMYB.cs High entropy of concatenated method names: 'WM1vgwflps', 'nsevPVyR9F', 'gyyvefoJ5v', 'joxvR74bBR', 'zWPvqNs3dI', 'g1rv5lh995', 'phEvN7dYyC', 'gGMvKr6xKV', 'FCJvfHHtow', 'C3Nv0jDerh'
Source: LisectAVT_2403002A_19.exe, OOBG4wMoWIMqqZ8j4I.cs High entropy of concatenated method names: 'Dispose', 'r8599q7Gpf', 'afReff5GGx', 'Drde0kA1yy', 'orA9hD0HDm', 'jXu944alXg', 'kIX9Ff9qEo', 'O3fuuNeCRe9SoYu4Xd8', 'IxTCnNeEdFBeJilE7Jj', 'apQWIwekOPgqfiFs1a2'
Source: LisectAVT_2403002A_19.exe, hhPE52P5kOn4XIqs61.cs High entropy of concatenated method names: 'eL49PwmL4U', 'nUv9eJrsr6', 'KXj9RVlmr7', 'a8k9qk0jd9', 'Its95EqrHY', 'hj6CQ2ftqdG7DWwdM6X', 'CpH5sTfrSlcvCVhbeck', 'RKwB3rfCy5Qm23Pa2CK', 'sMLInkf7mmIH3HBk76P', 'UF9DbafcPoobT4SidWl'
Source: LisectAVT_2403002A_19.exe, jXoxD01lmspGfxigSN.cs High entropy of concatenated method names: 'zjMK5baIf', 'fQj0AMJfs', 'dBvLupEuBZMksOmtHB', 'VGk2BSkI8TLYIcaENj', 'dqWHTmrKvZSVV8WHgF', 'RewEALCGk25BUxg8HA', 'fbKEAvp48RvKEnuMYH', 'x4eEoeipORC09bVMxD', 'Rro7YOLr0GDgTeYjkB', 'Aj71He1UXOoG44HYF6'
Source: LisectAVT_2403002A_19.exe, i1mSeP8ShkOZGmKpbT.cs High entropy of concatenated method names: 'LDA9NfaBm8', 'FO89KUEfEa', 'xA29fmILCR', 'RKj90bwgF0', 'qa79oLyEWL', 'wGM9Q0gXh3', 'O5Q9ECJc2Y', 'emx9IGk2rv', 'eBp9yfkd9D', 'Ac5eSI55BrD4JMp0a1o'
Source: LisectAVT_2403002A_19.exe, VJYh0y0os2gJpvgGSw.cs High entropy of concatenated method names: 'uhM9BOFA2d', 't5N9TrnjmT', 'sij9WETnjQ', 'CXZ9iRIlFV', 'F2Y98S7rph', 'UVwAWynLuYnEv8B09lO', 'NkUYYEn111lsEsbG5ji', 'LVwSocnKiWhw8Nj8Neo', 'BP57RHnmm2ahfLss318', 'puA8JInOuW8tyADTde9'
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.LisectAVT_2403002A_19.exe.263f1f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 3924, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 2440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 25B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 45B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 8DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 9DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 9FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 1800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 3330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: 3110000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Window / User API: threadDelayed 7106 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Window / User API: threadDelayed 2706 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe TID: 5140 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe TID: 1764 Thread sleep time: -43305s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe TID: 1172 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe TID: 3300 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe TID: 3300 Thread sleep time: -37815825351104557s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe TID: 5388 Thread sleep count: 7106 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe TID: 5388 Thread sleep count: 2706 > 30 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Thread delayed: delay time: 43305 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: LisectAVT_2403002A_19.exe Binary or memory string: WvlkX0nHXu9RNOwHGFS
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2134202692.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: LisectAVT_2403002A_19.exe, 00000000.00000002.2133894157.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_19.exe, 00000003.00000002.4556026872.0000000001648000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Code function: 3_2_016C64F0 LdrInitializeThunk, 3_2_016C64F0
Enables debug privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Memory written: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe "C:\Users\user\Desktop\LisectAVT_2403002A_19.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.LisectAVT_2403002A_19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4555380450.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2135032484.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 3924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 2708, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_19.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 2708, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.LisectAVT_2403002A_19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_19.exe.3670ab0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4555380450.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2135032484.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4558492296.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 3924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_19.exe PID: 2708, type: MEMORYSTR
windows-stand
No contacted IP infos

Contacted Domains

Name IP Active
smtp.agceram.com unknown unknown