Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe

Overview

General Information

Sample name:MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Analysis ID:1559050
MD5:296a91d852273bd8f8ea784f814e8e54
SHA1:47a5391f798e645c075a074a7cddfab468e449d5
SHA256:bdf6c1caee139afdf9122554e47a2b1f56dd5598447dced5cf81cafac1dfb7a0
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://cash4cars.nz", "Username": "logbox@cash4cars.nz", "Password": "-[([pqM~nGA4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3390398449.0000000002F01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe.7360.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://cash4cars.nz", "Username": "logbox@cash4cars.nz", "Password": "-[([pqM~nGA4"}
            Multi AV Scanner detection for submitted file
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeReversingLabs: Detection: 42%
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeVirustotal: Detection: 63%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeJoe Sandbox ML: detected
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49720 version: TLS 1.2
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: RkOo.pdb source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: Binary string: RkOo.pdbSHA256mu source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeString found in binary or memory: http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49720 version: TLS 1.2
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2153174691.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2170699029.0000000008E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000000.2140819310.0000000000B26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRkOo.exeP vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2155139447.0000000002F15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4d50e2f7-163c-49a2-bbd5-3cf7d6c08520.exe4 vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4d50e2f7-163c-49a2-bbd5-3cf7d6c08520.exe4 vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2155139447.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2168553737.0000000005930000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3389055566.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename4d50e2f7-163c-49a2-bbd5-3cf7d6c08520.exe4 vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeBinary or memory string: OriginalFilenameRkOo.exeP vs MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe.logJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMutant created: NULL
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeReversingLabs: Detection: 42%
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeVirustotal: Detection: 63%
            Source: unknownProcess created: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe "C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess created: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe "C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess created: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe "C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"Jump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: RkOo.pdb source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: Binary string: RkOo.pdbSHA256mu source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeStatic PE information: section name: .text entropy: 7.94671283475243
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile created: \mv busan star - calling to discharge about 55,000mt of aggregates.exe
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile created: \mv busan star - calling to discharge about 55,000mt of aggregates.exeJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe PID: 7360, type: MEMORYSTR
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: 9000000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: A000000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: A200000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: B200000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe TID: 7380Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3389350831.0000000001206000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz6!
            Source: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2170699029.0000000008E80000.00000004.08000000.00040000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vxHhgfSvMU
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeMemory written: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeProcess created: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe "C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"Jump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe PID: 7360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe PID: 7540, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 00000003.00000002.3390398449.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe PID: 7360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe PID: 7540, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe PID: 7360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe PID: 7540, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
            Windows Management Instrumentation            		1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		2
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Credentials in Registry            		111
            Security Software Discovery            		Remote Desktop Protocol2
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS141
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync24
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe42%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
            MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe63%VirustotalBrowse
            MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api.ipify.org
            		104.26.13.205
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.ipify.orgMV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  		high
                  https://account.dyn.com/MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    		high
                    https://api.ipify.org/tMV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.ResourcesMV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exefalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.26.13.205
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1559050
                          Start date and time:2024-11-20 05:33:20 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 17s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, licensing.mp.microsoft.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          23:34:21API Interceptor2x Sleep call for process: MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousUnknownBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                          • api.ipify.org/
                          Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousUnknownBrowse
                          • api.ipify.org/
                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                          • api.ipify.org/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          api.ipify.orgQuarantineMessage.zipGet hashmaliciousUnknownBrowse
                          • 172.67.74.152
                          https://hmjpvx0wn1.gaimensebb.shop/Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                          • 104.26.13.205
                          MVV ALIADO - S-REQ-19-00064 40ft 1x20.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 172.67.74.152
                          Quotation.exeGet hashmaliciousAgentTeslaBrowse
                          • 104.26.13.205
                          DOCS.exeGet hashmaliciousAgentTeslaBrowse
                          • 172.67.74.152
                          1Sj5F6P4nv.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                          • 104.26.12.205
                          5LEXIucyEP.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                          • 172.67.74.152
                          44qLDKzsfO.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                          • 104.26.12.205
                          gP5rh6fa0S.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                          • 104.26.12.205
                          spacers.exeGet hashmaliciousUnknownBrowse
                          • 104.26.12.205

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUShttps://cdn-defac21.artcollective-snapclick.com/api/reg/update.jsonGet hashmaliciousUnknownBrowse
                          • 104.21.78.162
                          file.exeGet hashmaliciousLummaCBrowse
                          • 104.21.85.146
                          file.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
                          • 188.114.96.3
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 188.114.97.3
                          need quotations.exeGet hashmaliciousFormBookBrowse
                          • 188.114.96.3
                          https://atpscan.global.hornetsecurity.com/?d=zgarMAzqF8gJdiyz7BRUZX8-Kt1RoHrhrMmKtaU9kW8&f=VhLn9tqiibnSyqWDnEopjApZtye8WgAc5bwx7BMFWiKwqjA1EcPjZyfvoQy11klP&i=&k=QQhP&m=0jL9ajZ_jxYnMJb2yb4luNRYQCXy24RTS6RPwUyZoAcuBVX0kzGA69aOJSo0d2htwIsi238bOVH3h3HqrhJGfzTuFk7GTjJWYsgIrocXphf5x2p4nZ7S2EABjAck31fG&n=TU5FjsulXTMv8aeSlx257utLr9bUpfdm0dDB4GNEHfOuhOvtIOr62mZHw3PXGZeG&r=qntyoaxGftDLRu_wopiK2t_EdeZaeg9mP15ZZI-qDen_3s7cQ10pAlhKQQnYAIUX&s=c4a8f5ec353e41b8b414bdcf47b33dd5d6b52b0394e0e4a09cc54527f49761c3&u=https%3A%2F%2Fthe1oomisagency.com%2Fthyu%2FGet hashmaliciousUnknownBrowse
                          • 104.16.123.96
                          Employee-SSN.htmlGet hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          file.exeGet hashmaliciousLummaCBrowse
                          • 188.114.96.3
                          https://estudioit.cl/starl/#ZGVicmEuY2FydGVyQGNhc2EuZ292LmF1Get hashmaliciousUnknownBrowse
                          • 104.17.25.14

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaCBrowse
                          • 104.26.13.205
                          file.exeGet hashmaliciousLummaCBrowse
                          • 104.26.13.205
                          file.exeGet hashmaliciousLummaCBrowse
                          • 104.26.13.205
                          file.exeGet hashmaliciousLummaCBrowse
                          • 104.26.13.205
                          https://s.id/sharedocumentGet hashmaliciousUnknownBrowse
                          • 104.26.13.205
                          https://trackru.top/usGet hashmaliciousUnknownBrowse
                          • 104.26.13.205
                          https://www.google.ie/url?q=queryy8px(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2ftranscabrera.com%2fyaya%2f37w6telbuncxaji5ywvxeooxd1ok88ou67nhi/bWFyay5tY2tlbnppZUBtYWdlbGxhbmxwLmNvbQ==$?Get hashmaliciousHTMLPhisherBrowse
                          • 104.26.13.205
                          https://s.id/nelsiGet hashmaliciousHTMLPhisherBrowse
                          • 104.26.13.205
                          https://www.google.ie/url?q=querymmjx(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fsafrareal.com.br%2fyoya%2fgrcbea7q6lbvpmruhnx3bojhvb2k6ojxdnvuw/Y3doaXRlQHdvcmxkZHJ5ZXIuY29t$?Get hashmaliciousUnknownBrowse
                          • 104.26.13.205
                          https://ledger-checks.s3.us-east-1.amazonaws.com/index.htmlGet hashmaliciousUnknownBrowse
                          • 104.26.13.205

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.938345895501036
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
                          File size:668'672 bytes
                          MD5:296a91d852273bd8f8ea784f814e8e54
                          SHA1:47a5391f798e645c075a074a7cddfab468e449d5
                          SHA256:bdf6c1caee139afdf9122554e47a2b1f56dd5598447dced5cf81cafac1dfb7a0
                          SHA512:0b801c4a4abdff47d84138600eb9db78d68591a12332e2abf00fe0da3b53e51c415a157aae9934bce63ff6ad1c6e7bb8adebcb1bfa12b91f40ec374ce53bd1a6
                          SSDEEP:12288:W1Bo7KvAGZ2/IwuiwQ6CTCPuNCgHt1WH/ctA9upSNtira7Xs:W/o703ZQ5pGPuMgCH/9upTrag
                          TLSH:13E4125123E88F3BD4388FF04534940123F6B57B7A61E29D6ED361D925BAF100AA1F9B
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3<g..............0..(...........G... ...`....@.. ....................................@................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x4a479e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x673C33A9 [Tue Nov 19 06:43:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa474c0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x64c.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa26500x54.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xa27a40xa28009e5a60562dfe2b233954ac0b1ecaed58False0.9557091346153846data7.94671283475243IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xa60000x64c0x80027fbd4222499e7496c057cb29d2b90f5False0.341796875data3.510783460880617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xa80000xc0x200026f781fd538a269c33e1ea887d4ecbeFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xa60900x3bcdata0.4131799163179916
                          RT_MANIFEST0xa645c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 05:34:23.953257084 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:23.953356981 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:23.955306053 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:23.996582985 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:23.996644974 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:24.458874941 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:24.459203959 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:24.512362957 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:24.512409925 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:24.512648106 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:24.554033041 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:24.685626984 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:24.731336117 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:24.792761087 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:24.792802095 CET44349720104.26.13.205192.168.2.5
                          Nov 20, 2024 05:34:24.792890072 CET49720443192.168.2.5104.26.13.205
                          Nov 20, 2024 05:34:24.811419010 CET49720443192.168.2.5104.26.13.205

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 05:34:23.930491924 CET5245153192.168.2.51.1.1.1
                          Nov 20, 2024 05:34:23.937432051 CET53524511.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 20, 2024 05:34:23.930491924 CET192.168.2.51.1.1.10x476aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 20, 2024 05:34:23.937432051 CET1.1.1.1192.168.2.50x476aNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                          Nov 20, 2024 05:34:23.937432051 CET1.1.1.1192.168.2.50x476aNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                          Nov 20, 2024 05:34:23.937432051 CET1.1.1.1192.168.2.50x476aNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • api.ipify.org

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549720104.26.13.2054437540C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
                          TimestampBytes transferredDirectionData
                          2024-11-20 04:34:24 UTC155OUTGET / HTTP/1.1
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                          Host: api.ipify.org
                          Connection: Keep-Alive
                          2024-11-20 04:34:24 UTC399INHTTP/1.1 200 OK
                          Date: Wed, 20 Nov 2024 04:34:24 GMT
                          Content-Type: text/plain
                          Content-Length: 11
                          Connection: close
                          Vary: Origin
                          CF-Cache-Status: DYNAMIC
                          Server: cloudflare
                          CF-RAY: 8e55ba389cf68c09-EWR
                          server-timing: cfL4;desc="?proto=TCP&rtt=1921&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1504379&cwnd=240&unsent_bytes=0&cid=2ec5211940d453fb&ts=342&x=0"
                          2024-11-20 04:34:24 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                          Data Ascii: 8.46.123.75


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:23:34:20
                          Start date:19/11/2024
                          Path:C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"
                          Imagebase:0xa80000
                          File size:668'672 bytes
                          MD5 hash:296A91D852273BD8F8EA784F814E8E54
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:23:34:22
                          Start date:19/11/2024
                          Path:C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"
                          Imagebase:0xaa0000
                          File size:668'672 bytes
                          MD5 hash:296A91D852273BD8F8EA784F814E8E54
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3390398449.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:false

                          Disassembly

                          No disassembly