Edit tour

Windows Analysis Report
0I9GLRSiy0.exe

Overview

General Information

Sample name:	0I9GLRSiy0.exe renamed because original name is a hash value
Original sample name:	d91d556c48fefc1f1884371fa4277298c37b78d2296a4cf10af7c1f7036f38b8.exe
Analysis ID:	1588565
MD5:	278a25d8b1beac144cd590ae592bf680
SHA1:	d4b9110b6410fcb37e99ba258610a5f7d12fcfb5
SHA256:	d91d556c48fefc1f1884371fa4277298c37b78d2296a4cf10af7c1f7036f38b8
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

0I9GLRSiy0.exe (PID: 5696 cmdline: "C:\Users\user\Desktop\0I9GLRSiy0.exe" MD5: 278A25D8B1BEAC144CD590AE592BF680)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.solucionesmexico.mx", "Username": "mynewfile@solucionesmexico.mx", "Password": "dGG^ZYIxX5!B"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3390551615.0000000002847000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 0I9GLRSiy0.exe PID: 5696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0I9GLRSiy0.exe PID: 5696	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 0I9GLRSiy0.exe PID: 5696	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.0I9GLRSiy0.exe.3809970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0I9GLRSiy0.exe.3809970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0I9GLRSiy0.exe.3809970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3274f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x327c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3284b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x328dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32947:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x329b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32a4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32adf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0I9GLRSiy0.exe.3809970.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f939:$s2: GetPrivateProfileString 0x2ef82:$s3: get_OSFullName 0x30618:$s5: remove_Key 0x307f2:$s5: remove_Key 0x31764:$s6: FtpWebRequest 0x32731:$s7: logins 0x32ca3:$s7: logins 0x359b4:$s7: logins 0x35a66:$s7: logins 0x373b9:$s7: logins 0x36600:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.0I9GLRSiy0.exe.3845590.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0I9GLRSiy0.exe.3845590.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0I9GLRSiy0.exe.3845590.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3274f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x327c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3284b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x328dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32947:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x329b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32a4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32adf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0I9GLRSiy0.exe.3845590.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f939:$s2: GetPrivateProfileString 0x2ef82:$s3: get_OSFullName 0x30618:$s5: remove_Key 0x307f2:$s5: remove_Key 0x31764:$s6: FtpWebRequest 0x32731:$s7: logins 0x32ca3:$s7: logins 0x359b4:$s7: logins 0x35a66:$s7: logins 0x373b9:$s7: logins 0x36600:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.0I9GLRSiy0.exe.6ca0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0I9GLRSiy0.exe.6ca0000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0I9GLRSiy0.exe.6ca0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3274f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x327c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3284b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x328dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32947:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x329b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32a4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32adf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0I9GLRSiy0.exe.6ca0000.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f939:$s2: GetPrivateProfileString 0x2ef82:$s3: get_OSFullName 0x30618:$s5: remove_Key 0x307f2:$s5: remove_Key 0x31764:$s6: FtpWebRequest 0x32731:$s7: logins 0x32ca3:$s7: logins 0x359b4:$s7: logins 0x35a66:$s7: logins 0x373b9:$s7: logins 0x36600:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7016f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x701e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7026b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x702fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x70367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x703d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x7046f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x704ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x6d359:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x6c9a2:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x6e038:$s5: remove_Key 0x6e212:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x6f184:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x70151:$s7: logins 0x706c3:$s7: logins 0x733d4:$s7: logins 0x73486:$s7: logins 0x74dd9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 22 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0I9GLRSiy0.exe

Avira: detected

Found malware configuration

Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.solucionesmexico.mx", "Username": "mynewfile@solucionesmexico.mx", "Password": "dGG^ZYIxX5!B"}

Multi AV Scanner detection for submitted file

Source: 0I9GLRSiy0.exe	Virustotal: Detection: 75%			Perma Link
Source: 0I9GLRSiy0.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 0I9GLRSiy0.exe

Joe Sandbox ML: detected

Source: 0I9GLRSiy0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0I9GLRSiy0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.6:63153 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa

Source: 0I9GLRSiy0.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 0I9GLRSiy0.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: 0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028B8000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: 0I9GLRSiy0.exe	String found in binary or memory: http://localhost/calculator_server/requests.php
Source: 0I9GLRSiy0.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: 0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 0I9GLRSiy0.exe, 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 0I9GLRSiy0.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.0I9GLRSiy0.exe.3809970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.3809970.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.3845590.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.3845590.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_02673E28	0_2_02673E28
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_02676F90	0_2_02676F90
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0267DFB4	0_2_0267DFB4
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FDAC88	0_2_06FDAC88
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FDB8A0	0_2_06FDB8A0
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FDAFD0	0_2_06FDAFD0
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD5FA8	0_2_06FD5FA8
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD5FA7	0_2_06FD5FA7
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3F50	0_2_06FD3F50
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD6590	0_2_06FD6590
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD4388	0_2_06FD4388
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD4379	0_2_06FD4379
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3B18	0_2_06FD3B18
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_076508A4	0_2_076508A4
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_07652518	0_2_07652518
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_07650868	0_2_07650868
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_07650810	0_2_07650810
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_07650895	0_2_07650895
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A916AD0	0_2_0A916AD0
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A9132C8	0_2_0A9132C8
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A919018	0_2_0A919018
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A910040	0_2_0A910040
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A917878	0_2_0A917878
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A91DF00	0_2_0A91DF00
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A910006	0_2_0A910006
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A918930	0_2_0A918930

Source: 0I9GLRSiy0.exe

Static PE information: invalid certificate

Source: 0I9GLRSiy0.exe, 00000000.00000002.3391526072.00000000038E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe, 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1d2b2f51-e841-4af2-8893-cf0c11544dea.exe0 vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe, 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename1d2b2f51-e841-4af2-8893-cf0c11544dea.exe0 vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe, 00000000.00000000.2130680253.000000000044A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameazmse.exe" vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe, 00000000.00000002.3388981720.000000000085E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe, 00000000.00000002.3393157835.00000000058A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe, 00000000.00000002.3394008794.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 0I9GLRSiy0.exe
Source: 0I9GLRSiy0.exe	Binary or memory string: OriginalFilenameazmse.exe" vs 0I9GLRSiy0.exe

Source: 0I9GLRSiy0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.0I9GLRSiy0.exe.3809970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0I9GLRSiy0.exe.3809970.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.0I9GLRSiy0.exe.3845590.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0I9GLRSiy0.exe.3845590.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0I9GLRSiy0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/1

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Mutant created: NULL

Source: 0I9GLRSiy0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0I9GLRSiy0.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002902000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028EF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0I9GLRSiy0.exe	Virustotal: Detection: 75%
Source: 0I9GLRSiy0.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 0I9GLRSiy0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0I9GLRSiy0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_02675E00 push eax; iretd	0_2_02675E09
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3656 push ecx; iretd	0_2_06FD3658
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD6FD5 push eax; iretd	0_2_06FD6FD6
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD6F93 push ecx; iretd	0_2_06FD6F94
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD1F89 push 1FB806FBh; iretd	0_2_06FD1F96
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3788 push ecx; iretd	0_2_06FD378A
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD9F68 pushad ; iretd	0_2_06FD9F71
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD34E5 push ecx; iretd	0_2_06FD34E7
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3466 push ecx; iretd	0_2_06FD3468
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD343F push ecx; iretd	0_2_06FD3441
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD7429 push edx; iretd	0_2_06FD7436
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD5DC2 push eax; iretd	0_2_06FD5DC6
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3581 push ecx; iretd	0_2_06FD3583
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD5D6A push eax; iretd	0_2_06FD5D76
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3557 push ecx; iretd	0_2_06FD3559
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3512 push ecx; iretd	0_2_06FD3514
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD72A9 push edx; iretd	0_2_06FD72B4
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD5228 push ecx; iretd	0_2_06FD5446
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD7B80 push ecx; iretd	0_2_06FD7B8E
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD735A push edx; iretd	0_2_06FD735C
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD38A7 push ecx; iretd	0_2_06FD38A9
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FDC885 pushfd ; iretd	0_2_06FDC88A
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD2049 push 24F806FBh; iretd	0_2_06FD2056
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD3812 push ecx; iretd	0_2_06FD3814
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD71EA push ecx; iretd	0_2_06FD71EB
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD39C1 push ecx; iretd	0_2_06FD39C3
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD7164 push ecx; iretd	0_2_06FD7165
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_06FD7919 pushfd ; iretd	0_2_06FD7925
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Code function: 0_2_0A91D061 push es; ret	0_2_0A91D070

Source: 0I9GLRSiy0.exe

Static PE information: section name: .text entropy: 7.788640730466507

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 0I9GLRSiy0.exe PID: 5696, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002847000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Memory allocated: 7710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Memory allocated: 8710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Memory allocated: 88C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Memory allocated: 98C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: 0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002847000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 0I9GLRSiy0.exe, 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: 0I9GLRSiy0.exe, 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: 0I9GLRSiy0.exe, 00000000.00000002.3393283957.0000000005957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Code function: 0_2_06FDC610 CheckRemoteDebuggerPresent,

0_2_06FDC610

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Queries volume information: C:\Users\user\Desktop\0I9GLRSiy0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3809970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3845590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.6ca0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0I9GLRSiy0.exe PID: 5696, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\0I9GLRSiy0.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3809970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3845590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.6ca0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3390551615.0000000002847000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0I9GLRSiy0.exe PID: 5696, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3809970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3845590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3845590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.6ca0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.6ca0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0I9GLRSiy0.exe.3809970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0I9GLRSiy0.exe PID: 5696, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	24 Virtualization/Sandbox Evasion	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0I9GLRSiy0.exe	75%	Virustotal		Browse
0I9GLRSiy0.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
0I9GLRSiy0.exe	100%	Avira	HEUR/AGEN.1357257
0I9GLRSiy0.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high
200.163.202.172.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	0I9GLRSiy0.exe, 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0I9GLRSiy0.exe	false	high
http://localhost/calculator_server/requests.php	0I9GLRSiy0.exe	false	high
http://ip-api.com	0I9GLRSiy0.exe, 00000000.00000002.3390551615.0000000002801000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, 0I9GLRSiy0.exe, 00000000.00000002.3390551615.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588565
Start date and time:	2025-01-11 02:26:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0I9GLRSiy0.exe renamed because original name is a hash value
Original Sample Name:	d91d556c48fefc1f1884371fa4277298c37b78d2296a4cf10af7c1f7036f38b8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 39 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 172.202.163.200, 20.242.39.171, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:27:01	API Interceptor	2x Sleep call for process: 0I9GLRSiy0.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.784800031747238
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	0I9GLRSiy0.exe
File size:	704'520 bytes
MD5:	278a25d8b1beac144cd590ae592bf680
SHA1:	d4b9110b6410fcb37e99ba258610a5f7d12fcfb5
SHA256:	d91d556c48fefc1f1884371fa4277298c37b78d2296a4cf10af7c1f7036f38b8
SHA512:	92624e7713d5f58051b4668d969152bc6c56672ea40bd6d797a5097fcade3876b4cf085c25b52dc4ab8ebf39a30aa0284cf44b18993aeec77bd22d0d250bd4ec
SSDEEP:	12288:PPGzrfXc/HjdgsKG1E4LxdFqNFimnv04/njlcZdkR:uzXuHpgsKG+4LTSz04/jlT
TLSH:	2BE402AD5655E507DB6157340BB1F2B12BBC6FDEA400E2038FEDADEBB866E141C48181
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rg..............0..r............... ........@.. ....................................@................................

File Icon


Icon Hash:	04852062591b5659

Static PE Info

General

Entrypoint:	0x4a9006
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6752E9BA [Fri Dec 6 12:10:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F04F8906772h
je 00007F04F8906772h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F04F8906772h
imul eax, dword ptr [eax], 00610076h
je 00007F04F8906772h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8fb4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x13bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa8a00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa702c	0xa7200	5e1f14b3e43b90d434751a34059be37d	False	0.9315208372288706	data	7.788640730466507	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x13bc	0x1400	afc1e845a61883e26f13681f0cd62db1	False	0.732421875	data	6.941914302483971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	7f6b60b9f625567038ba9d9b88557187	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa100	0xd91	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8692772818888569
RT_GROUP_ICON	0xaaea4	0x14	data	1.05
RT_VERSION	0xaaec8	0x2f4	data	0.4312169312169312
RT_MANIFEST	0xab1cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:27:03.736670971 CET	49713	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:27:03.741579056 CET	80	49713	208.95.112.1	192.168.2.6
Jan 11, 2025 02:27:03.741657972 CET	49713	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:27:03.742264986 CET	49713	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:27:03.747108936 CET	80	49713	208.95.112.1	192.168.2.6
Jan 11, 2025 02:27:04.202045918 CET	80	49713	208.95.112.1	192.168.2.6
Jan 11, 2025 02:27:04.247417927 CET	49713	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:27:31.491354942 CET	63153	53	192.168.2.6	162.159.36.2
Jan 11, 2025 02:27:31.496227980 CET	53	63153	162.159.36.2	192.168.2.6
Jan 11, 2025 02:27:31.496298075 CET	63153	53	192.168.2.6	162.159.36.2
Jan 11, 2025 02:27:31.501099110 CET	53	63153	162.159.36.2	192.168.2.6
Jan 11, 2025 02:27:31.960498095 CET	63153	53	192.168.2.6	162.159.36.2
Jan 11, 2025 02:27:31.965495110 CET	53	63153	162.159.36.2	192.168.2.6
Jan 11, 2025 02:27:31.965550900 CET	63153	53	192.168.2.6	162.159.36.2
Jan 11, 2025 02:28:07.834326982 CET	80	49713	208.95.112.1	192.168.2.6
Jan 11, 2025 02:28:07.834435940 CET	49713	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:28:44.222383022 CET	49713	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:28:44.227386951 CET	80	49713	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:27:03.723712921 CET	54884	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:27:03.730907917 CET	53	54884	1.1.1.1	192.168.2.6
Jan 11, 2025 02:27:31.490823984 CET	53	64888	162.159.36.2	192.168.2.6
Jan 11, 2025 02:27:31.979604959 CET	63628	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:27:31.995345116 CET	53	63628	1.1.1.1	192.168.2.6
Jan 11, 2025 02:27:33.159954071 CET	59710	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:27:33.191242933 CET	53	59710	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 02:27:03.723712921 CET	192.168.2.6	1.1.1.1	0x5eaf	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:27:31.979604959 CET	192.168.2.6	1.1.1.1	0x484d	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 02:27:33.159954071 CET	192.168.2.6	1.1.1.1	0xed84	Standard query (0)	200.163.202.172.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 02:27:03.730907917 CET	1.1.1.1	192.168.2.6	0x5eaf	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:27:31.995345116 CET	1.1.1.1	192.168.2.6	0x484d	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 02:27:33.191242933 CET	1.1.1.1	192.168.2.6	0xed84	Name error (3)	200.163.202.172.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	208.95.112.1	80	5696	C:\Users\user\Desktop\0I9GLRSiy0.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:27:03.742264986 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 02:27:04.202045918 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:27:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	20:27:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\0I9GLRSiy0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0I9GLRSiy0.exe"
Imagebase:	0x3a0000
File size:	704'520 bytes
MD5 hash:	278A25D8B1BEAC144CD590AE592BF680
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3390551615.0000000002847000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.3393704064.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3391526072.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.4%
Total number of Nodes:	94
Total number of Limit Nodes:	15

Executed Functions

Function 0A910040 Relevance: 2.7, Instructions: 2729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccac0ac8910063fb8510cc87ae09ee39aa51268e835b3e2b95d2eabc8f35d79
Instruction ID: 6aad1ea763eb068981afe66ee2e821193acc125d2895c6aa3f0a2158b3b68233
Opcode Fuzzy Hash: dccac0ac8910063fb8510cc87ae09ee39aa51268e835b3e2b95d2eabc8f35d79
Instruction Fuzzy Hash: 6E53E531D10B1A8ACB51EF68C984599F7B1EF99300F11D79AE4587B221FB70AAD4CF81

Function 0A9132C8 Relevance: 2.2, Instructions: 2232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7871c00d66ee3b709b69e057a2aa12922dfe33bf174b9750f7152b8af769b7b
Instruction ID: cbbb0a5025e27fec6388fca544e6812d0c6fad9a26ed1b2a4d016bd7a9609f99
Opcode Fuzzy Hash: f7871c00d66ee3b709b69e057a2aa12922dfe33bf174b9750f7152b8af769b7b
Instruction Fuzzy Hash: 5D231E31D1071A8EDB11EF68C88459DF7B1FF89300F55D79AE449AB221EB70AAC5CB81

Function 0A91DF00 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bd14d49c9c15198d279ea8543704d295a9ee620d2d350c32c6ef7ffa464be7
Instruction ID: 2861ad9e40aa4678ee31965f1f67289aea9f8d93d795aa94c4887b8c66bc54b0
Opcode Fuzzy Hash: 52bd14d49c9c15198d279ea8543704d295a9ee620d2d350c32c6ef7ffa464be7
Instruction Fuzzy Hash: B0F14B30B00209CFDB14DFA9C988BADBBF2BF88314F158569D815AF2A1DB74A945CF40

Function 06FDC610 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 06FDC687

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 8b49583f4745f5c9b83bfa7c417955671af27a867eaba8ad14822f4b857093b3
Instruction ID: d93e45f5fd5f26cd8be2a0cdb8ce27791176eb30d65a6bd6e31ac5e92cceb558
Opcode Fuzzy Hash: 8b49583f4745f5c9b83bfa7c417955671af27a867eaba8ad14822f4b857093b3
Instruction Fuzzy Hash: 72215971C00259CFDB10DF9AD884BEEFBF4AF49310F14841AE459A7240D778A944CF61

Function 06FDAC88 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vrm, xrefs: 06FDAED3

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID: \Vrm
API String ID: 0-3869522837
Opcode ID: 79e9c55c3ed344ba98050df923e7d1f2386e1e5b4f846410744185efbcd592f3
Instruction ID: bc23b721398c31aed3bd26ee73860dad60a987afd5d0e4e0a38c2b96913428bc
Opcode Fuzzy Hash: 79e9c55c3ed344ba98050df923e7d1f2386e1e5b4f846410744185efbcd592f3
Instruction Fuzzy Hash: 03917FB0E00209CFDF50DFA9D9857DDBBF3AF88714F188529E404AB294EB74A845CB95

Function 0A910006 Relevance: 1.2, Instructions: 1231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e65fb09f7e98016f4863b3591390ab980127e9465319cc65a4c85c4a3504f2
Instruction ID: b3409633d3d22ce7e0d2f2fe4cd2c8ffd6570f1f970688b4f208cb1c93980141
Opcode Fuzzy Hash: 46e65fb09f7e98016f4863b3591390ab980127e9465319cc65a4c85c4a3504f2
Instruction Fuzzy Hash: 59D2E531D10B5A8ACB51EB68C8845A9F7B1EF99300F11D79AE45877221FB70AAD4CF81

Function 0A917878 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02bbb727e4531a34a65aa0bed294de3c4a00e4859a525e70f840578dc43b241
Instruction ID: 061eb91ca80abe9a2a639501a88bf5cbf8ba438359ada8d3a2a252a551a3ef65
Opcode Fuzzy Hash: b02bbb727e4531a34a65aa0bed294de3c4a00e4859a525e70f840578dc43b241
Instruction Fuzzy Hash: 2C629C35B0020A8FDB54DBA8D594AADB7F6EF84314F248869E416DB390DB35ED42CF90

Function 076508A4 Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394476113.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7650000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b436a9923a518d85d61753fae947c07bd90e2067ce3615b6417f04662cfb61c1
Instruction ID: 989f607486ce19d792dee3f26eb25b5c4cf4686a8d6c3a354294e133fe982bf3
Opcode Fuzzy Hash: b436a9923a518d85d61753fae947c07bd90e2067ce3615b6417f04662cfb61c1
Instruction Fuzzy Hash: EB324CB0E00219CFDB54DFA9C86079EBBB2BF84300F24856AD40AAB395DE349D45DF95

Function 0A916AD0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df5d0df3a56a6651c1085e9a28ef6634d61a86967962d6853a633428e75f243
Instruction ID: 01347031d999cefe7ec355bb2c67781d67b0871e957df365c03034b0393fe5f0
Opcode Fuzzy Hash: 0df5d0df3a56a6651c1085e9a28ef6634d61a86967962d6853a633428e75f243
Instruction Fuzzy Hash: 0E322231E1061ACBCB14EFB5C89059DB7B6FFC9300F148AA9D449AB214EB719A85CF90

Function 0A919018 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df5b7bd65aee61b000625f25bd91b8b1d658ff7c01477dbee0b43b66bf6ff3e
Instruction ID: 1afb1ff3945c66746fccdb4d0a33d577d7ef246140fc9a8a5b4a917d46563c5a
Opcode Fuzzy Hash: 3df5b7bd65aee61b000625f25bd91b8b1d658ff7c01477dbee0b43b66bf6ff3e
Instruction Fuzzy Hash: BF02B134B00609DFDB14DF69D4A0AAEB7A2FF84314F248969D815EB395DB36DC42CB90

Function 07650868 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394476113.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7650000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688d8dcd958a38026f6975d6af4becf5b6bc5f298f004cb205ae563aa333032d
Instruction ID: 6eddf6464ffd0619b383bb5b5e8abc9e7bb2526124b07459e7aa505c7b75d689
Opcode Fuzzy Hash: 688d8dcd958a38026f6975d6af4becf5b6bc5f298f004cb205ae563aa333032d
Instruction Fuzzy Hash: 88E14CB1E002158FDF14DF69C89079EBBB2FF85310F18856AD80AAB255EB30D985DB91

Function 07650810 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394476113.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7650000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb392d9f49f15987196138350bf4023f2db317290122e7f91252c8e1b0ce2f0
Instruction ID: 8423b0e44cbf8c5f0ef183262a4b1184b5b15723cb0ef1c4e4618497c72f5cd8
Opcode Fuzzy Hash: 6eb392d9f49f15987196138350bf4023f2db317290122e7f91252c8e1b0ce2f0
Instruction Fuzzy Hash: D4D17BB1D002158FDF15CF65C890B9DBBB2BF85300F18D5AAD84AAB255EB30D985DF90

Function 07650895 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394476113.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7650000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e3d67448cd0d5307e2a8b58789a6deafc6ec439d1715418eadc68e7dfc5465
Instruction ID: 2da38e4b9cb10b7a68049817165b0e9ddfa9278d071f1639779a4bea08e2207a
Opcode Fuzzy Hash: 69e3d67448cd0d5307e2a8b58789a6deafc6ec439d1715418eadc68e7dfc5465
Instruction Fuzzy Hash: 1AC14BB1D002198FDF14CF65C89079DBBB1BF88310F14D5AAD80AAB255DB31D985DF91

Function 07652518 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394476113.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7650000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2fb6d3d58cdf3a227fb251a273145f7e1aadefcea92ef2c7ce1afda10ad4b3
Instruction ID: 8a486b5d05b5cf564663960964bab71ba67a3d87ea6a8154b0edf2af73118683
Opcode Fuzzy Hash: 3b2fb6d3d58cdf3a227fb251a273145f7e1aadefcea92ef2c7ce1afda10ad4b3
Instruction Fuzzy Hash: A3C14AB1E002198FDF14CFA5C890799BBB2BF88310F14D5AAD80AAB355DB31D985DF90

Function 06FDB8A0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b872674a58b7b616b1c5512784a90142635f5c53987912f1bc923bd5642b99ff
Instruction ID: 9738cbf9a5dbdcb6abccc8c7c0ed4de703c30a052968984bff48ab2ad6fc6a76
Opcode Fuzzy Hash: b872674a58b7b616b1c5512784a90142635f5c53987912f1bc923bd5642b99ff
Instruction Fuzzy Hash: CBB152B1E00209CFDB50CFA9D88579DBBF2AF48714F198529D815E7298EB74A845CB81

Function 02676F90 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89715134ea3a0f3c4608b2b385864b2eabcd265e25b04b93250fa89f8ca5ce53
Instruction ID: 5aa00a008c0ad5f8f303430ea5175b32ba357dabc05ea32e992ee1d2fb583bb2
Opcode Fuzzy Hash: 89715134ea3a0f3c4608b2b385864b2eabcd265e25b04b93250fa89f8ca5ce53
Instruction Fuzzy Hash: 6581D274E01219DFDB09DFA9D894AEEBBB2FF88300F248569D405AB365DB345942CF90

Function 02673E28 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ca9a857ebccb9a830f0399c482f2fdf3796be01bbe8d60538848d0c921504c
Instruction ID: 7d1e2da2541263e60a2b722986e5e019c97ba82896d450b2c9b8382a9d8b2e99
Opcode Fuzzy Hash: a4ca9a857ebccb9a830f0399c482f2fdf3796be01bbe8d60538848d0c921504c
Instruction Fuzzy Hash: 3B81D070E01219DFDB08DFA9D894AEEBBB2FF88300F248569D405AB364DB345941CF90

Function 0267D450 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0267D4DE
GetCurrentThread.KERNEL32 ref: 0267D51B
GetCurrentProcess.KERNEL32 ref: 0267D558
GetCurrentThreadId.KERNEL32 ref: 0267D5B1

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1408171f3c3165c2d0143b94976a170ea6544e25d9db3b3b15c5ab655a1a9481
Instruction ID: 75a9bb34ccf706710045ed44d817ca101e8c7fbcfa73d8b3f009f9c88d25ce57
Opcode Fuzzy Hash: 1408171f3c3165c2d0143b94976a170ea6544e25d9db3b3b15c5ab655a1a9481
Instruction Fuzzy Hash: 485169B0D013498FDB54DFA9E648B9EBFF1AF88304F248499D009A73A0D734A945CF61

Function 0267D460 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0267D4DE
GetCurrentThread.KERNEL32 ref: 0267D51B
GetCurrentProcess.KERNEL32 ref: 0267D558
GetCurrentThreadId.KERNEL32 ref: 0267D5B1

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 876aa6c1de255d2330b88858d9c70831e92ee4f1fa76403c48b77d013212476e
Instruction ID: 649d7c6bd1de14ebf59a2cdfc61766e496642fcabc996d71f69b52f43aa90237
Opcode Fuzzy Hash: 876aa6c1de255d2330b88858d9c70831e92ee4f1fa76403c48b77d013212476e
Instruction Fuzzy Hash: C05158B0D013099FDB54DFAAE648B9EBBF1EF88314F248459D009A7390D734A945CFA5

Function 0267B1C8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0267B41E

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 28da86911fa3d61224e47f637b69966f8fc729a12f0fa34bf1f80acfac5261df
Instruction ID: c745ae4c91417c2d9094dabe0f0f1cc18616008b4d2e4278d4f0136e24fb6506
Opcode Fuzzy Hash: 28da86911fa3d61224e47f637b69966f8fc729a12f0fa34bf1f80acfac5261df
Instruction Fuzzy Hash: 90712470A01B058FD764DF6AE45476ABBF2BF88308F108A2DD496D7B50DB35E845CB90

Function 026744B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026759C9

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 470d3c79c985c36f92baff8038cc4033a88a0d199c25f7f7d2a4e5d4461e12ea
Instruction ID: 7f360746a865b75e1e669208799bb46b7500c4a249ca0a486139efd59eebaf50
Opcode Fuzzy Hash: 470d3c79c985c36f92baff8038cc4033a88a0d199c25f7f7d2a4e5d4461e12ea
Instruction Fuzzy Hash: E0410270C0071DCBEB24DFA9D884B8EBBF5BF48704F6081AAD409AB251DB71A945CF90

Function 0267590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026759C9

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 440cded35cc9284ea9943e3765ca6cf6fc7130b95f7b158939f16b54860cdb47
Instruction ID: 839370c914c88aabe152d1415a2e4af2eba09d6fcd4edbe737c42d3b2a96965a
Opcode Fuzzy Hash: 440cded35cc9284ea9943e3765ca6cf6fc7130b95f7b158939f16b54860cdb47
Instruction Fuzzy Hash: D241E371C0071DCBEB24DFA9D8847DDBBB5BF88704F24816AD409AB251DB715945CF90

Function 06FDC60F Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 06FDC687

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ee15576f9cb2d36911491f354446934a2c1c708016b1c54bd2ca99b9a22b15ed
Instruction ID: be9d98bc1a2495d6d452c390e38b372734279147d3037bf21b9946518085e0c2
Opcode Fuzzy Hash: ee15576f9cb2d36911491f354446934a2c1c708016b1c54bd2ca99b9a22b15ed
Instruction Fuzzy Hash: BA215971C00259CFDB10DFAAD884BEEFBF8AF49310F14841AE459A7240D778A944CFA1

Function 0267D6A1 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0267D72F

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c9dcc74d6bf8a1781fb08bb3ea230060fb8440e1d5751258079f08e051eebc87
Instruction ID: b2949818146bc711b4b765a91c53a42fec4ddca33baed7a25d4b8e3136ba3eae
Opcode Fuzzy Hash: c9dcc74d6bf8a1781fb08bb3ea230060fb8440e1d5751258079f08e051eebc87
Instruction Fuzzy Hash: 1C21E4B5900248DFDB10DFA9E984AEEBFF5EB48310F24841AE914A7350D374A954CF60

Function 0267D6A8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0267D72F

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b473daacf9bbafe0ff7651eaae2d76dc6c7aa16aa1181822c549eda71dda8bd8
Instruction ID: 86abb6f4437ee495656b3a3f07c8c04ffe776ec04901feae9b6ca6d1d292ba88
Opcode Fuzzy Hash: b473daacf9bbafe0ff7651eaae2d76dc6c7aa16aa1181822c549eda71dda8bd8
Instruction Fuzzy Hash: 7321E4B59002489FDB10CFAAD984ADEBBF8EB48310F14841AE914A7350D374A944CFA1

Function 0267B3B8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0267B41E

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0b3d5196592073a67c1a92817bf66039debe665b647ecba23440b5cda156233e
Instruction ID: 43aab5283128cab05568abe6718eda761b8b7b05f576f420976938bd232a7a65
Opcode Fuzzy Hash: 0b3d5196592073a67c1a92817bf66039debe665b647ecba23440b5cda156233e
Instruction Fuzzy Hash: 511110B5C006498FDB10DF9AD444ADEFBF4AB88328F14846AD418B7344D379A545CFA1

Function 0A91DCE1 Relevance: 1.5, APIs: 1, Instructions: 47
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0A91DD3D

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e2c15336120c9c917028251bcdbd1844cbc038e3f627d8dc7af8060866eb10fa
Instruction ID: 93520963ea9dfef190793cee19ec63995b76e99997e01116c41479e79b49e0da
Opcode Fuzzy Hash: e2c15336120c9c917028251bcdbd1844cbc038e3f627d8dc7af8060866eb10fa
Instruction Fuzzy Hash: 781115B5900348DFDB20DFAAD884BCEBFF8AB48320F24855AD518A7250D378A544CFA5

Function 0A91C688 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0A91DD3D

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 100130f87dc6b8b9c5921d35cf3c9652b77d714295914304450f894a59d9d1f2
Instruction ID: c185ddafe417dabed99e7fa713e5ebe616704c73a4cc9e7b9ba9afdc261c8eee
Opcode Fuzzy Hash: 100130f87dc6b8b9c5921d35cf3c9652b77d714295914304450f894a59d9d1f2
Instruction Fuzzy Hash: 101103B590074C9FDB20DF9AD584B9EBBF8EB48220F20885AD519A7240D378A944CFA5

Function 07652ED1 Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07652E6A,?,?,?,?,?), ref: 07652F0F

Memory Dump Source

Source File: 00000000.00000002.3394476113.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7650000_0I9GLRSiy0.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: a2abe63efe43538c4674f80550d4f7ff5dd2f351d90b0829330ed8c7d02d6ef1
Instruction ID: b9fafbb1828f77d5230caf4e02cb827994a40237cb9537b71874f480cf736646
Opcode Fuzzy Hash: a2abe63efe43538c4674f80550d4f7ff5dd2f351d90b0829330ed8c7d02d6ef1
Instruction Fuzzy Hash: FD0156B28002099FDB11CFA9D844BDEBBF4AF48320F18840AE915A7260C339D494DFA0

Function 024CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389702924.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24cd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e080c80c673b44530103b8810ddde1a4cf96f80f7ae3110e616bfe7a50caa039
Instruction ID: 8d57c0d148108a8286082a6fe6ea05b7e983245c2aa4aa2bffe7f39c08cea456
Opcode Fuzzy Hash: e080c80c673b44530103b8810ddde1a4cf96f80f7ae3110e616bfe7a50caa039
Instruction Fuzzy Hash: 0D21C17A904244EFDB45DF18D9C0B27BF65FB88318F34857EE90A0B256C336E456CAA1

Function 024CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389702924.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24cd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e126cd80f6a2af39c2f9b897dadadb9696734944c4d0997974953a8501a6eaa
Instruction ID: b8b50790069be6ca5fa8394ab2e9a589a33af87095023ad629f2c222dde6c787
Opcode Fuzzy Hash: 0e126cd80f6a2af39c2f9b897dadadb9696734944c4d0997974953a8501a6eaa
Instruction Fuzzy Hash: 79210679900204DFDB48DF18D9C0B27BB65FB88314F34C17EEA0A0B256C336E456CAA5

Function 024DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389783656.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38455fe018567c86a6c796d23cc5fc69d173467c2d18441c637412d5249d314
Instruction ID: 99fc5224e193a48fedf00e4ed35ab705d0f1892b64a29a834248fb21cbdc8b91
Opcode Fuzzy Hash: e38455fe018567c86a6c796d23cc5fc69d173467c2d18441c637412d5249d314
Instruction Fuzzy Hash: 79212572904204DFDB15DF14D990B16BB65FBC8318F64C56EE90A0B346C336D447CE61

Function 024DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389783656.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125287971dd82b61092c94c1bece42411734ce22e0e021fca7d04647ce2cba06
Instruction ID: 2a087c5b7cfc45aecffbea732cd7526ce3ee4796d61b3241ce63011b9d4b1667
Opcode Fuzzy Hash: 125287971dd82b61092c94c1bece42411734ce22e0e021fca7d04647ce2cba06
Instruction Fuzzy Hash: 20212672A04204EFDB05DF54D9E0F26BBA5FB88314F24C6AEE90A4F352C376D446CA61

Function 024DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389783656.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb5fbbaf6b289d92faaaa52ae3f2b976b6d6271bcca42a6dbcb6e92ef67ebc5
Instruction ID: 4fee2f64df259a415ea027fa7cceeffaa55526af51585b5bdb85048a16d461da
Opcode Fuzzy Hash: deb5fbbaf6b289d92faaaa52ae3f2b976b6d6271bcca42a6dbcb6e92ef67ebc5
Instruction Fuzzy Hash: 75217175508384DFCB06CF24D994712BF71EB86214F29C5DAD8498F2A7C33A980ACB62

Function 024CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389702924.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24cd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b31bad3e5d6eb0f96c4d965fb2c37b7b820b0d943b1868179f970c6fb30aa6
Instruction ID: 519854dca237699dc4aa4361662327bceaada75b784f585442ef6d1d603344e2
Opcode Fuzzy Hash: a9b31bad3e5d6eb0f96c4d965fb2c37b7b820b0d943b1868179f970c6fb30aa6
Instruction Fuzzy Hash: 6E11AF76904244DFCB15CF14D9C4B16BF71FB84324F24C6AED9094B656C33AE45ACBA1

Function 024CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389702924.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24cd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b31bad3e5d6eb0f96c4d965fb2c37b7b820b0d943b1868179f970c6fb30aa6
Instruction ID: 5173334b189a6df7ac66796f8328abdd2d8660ce928bc10a278899f43df733c7
Opcode Fuzzy Hash: a9b31bad3e5d6eb0f96c4d965fb2c37b7b820b0d943b1868179f970c6fb30aa6
Instruction Fuzzy Hash: 3011AF76904284CFCB15CF14D9C4B16BF71FB84318F24C6AED8490B656C33AD45ACBA1

Function 024DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389783656.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21f20f9b933fcfff6280cc061701e95e78f5f46405777b46ba0931fd6c09a03
Instruction ID: 426d894168bf313130593e68d9f3044f761c1137ac36a69e24ae4cacb00cb69e
Opcode Fuzzy Hash: c21f20f9b933fcfff6280cc061701e95e78f5f46405777b46ba0931fd6c09a03
Instruction Fuzzy Hash: 3311BB76904284DFCB01CF10C5D0B16BBB1FB84214F24C6AAD8494F796C33AD40ACB61

Function 024CD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389702924.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24cd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bebe6cac254f440ea2cedd6dff0d4a519aff8c79b7f5f59bc0b403e374bec73
Instruction ID: b8899baa290bb50a4462aae35dd7d5ddf591a4af60d79674be979a5b468a5821
Opcode Fuzzy Hash: 2bebe6cac254f440ea2cedd6dff0d4a519aff8c79b7f5f59bc0b403e374bec73
Instruction Fuzzy Hash: 3901F739806B44DAE7605F19CD84B27BF98DF41324F28853FED080A286D3399841CA71

Function 024CD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389702924.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24cd000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafcb772d3b0241249f49ac21baf0a4ac550cd61ee59037afd2c3a58eb54836b
Instruction ID: 96dc50ee50bb2b1b4bdb72328a2b6f65cae2dc93c3fd087108b6ef663fe3d5ad
Opcode Fuzzy Hash: dafcb772d3b0241249f49ac21baf0a4ac550cd61ee59037afd2c3a58eb54836b
Instruction Fuzzy Hash: 82F0C275405744AAE7208F1ACC84B63FFA8EB81634F28C46BED080B286D3799844CAB1

Non-executed Functions

Function 06FDAFD0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vrm, xrefs: 06FDB287

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID: \Vrm
API String ID: 0-3869522837
Opcode ID: c6b44e721f17701e459ba19d38b548e670dbe87e5daa6744e9ed2a0ea2cf1f8d
Instruction ID: 199e9d3b79b2f0d3b07e926a56bd1617c07d359b81e8bd75a0a0011da8f1deff
Opcode Fuzzy Hash: c6b44e721f17701e459ba19d38b548e670dbe87e5daa6744e9ed2a0ea2cf1f8d
Instruction Fuzzy Hash: 4FB18EB1E00209CFDB50CFA9D9857EEBBF3BF88744F198129D415A7294EB75A841CB81

Function 0A918930 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394949411.000000000A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a910000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6749dde3679710fc2f962fb9e54c84dc9f27218ed719449628f0b483a36a9ee
Instruction ID: ed01d5f5c3c6f8b1ac5c6c1304168b2ebc0a51661765acc078d1f24d4da53112
Opcode Fuzzy Hash: f6749dde3679710fc2f962fb9e54c84dc9f27218ed719449628f0b483a36a9ee
Instruction Fuzzy Hash: D6122B30B00219CFDB28DF65D994A9EB7B6BF88304F2489A9D50AAB355DB319D41DF80

Function 06FD5FA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c28ba0c4eeaee535fe3c086d7569c840fa5fa84c5252c9ce9c3c58b7999e07
Instruction ID: df7e5389b54aaf4fa7ae7d2ca03e7a03ab76e13403f73ec9f31042c3d344199a
Opcode Fuzzy Hash: b9c28ba0c4eeaee535fe3c086d7569c840fa5fa84c5252c9ce9c3c58b7999e07
Instruction Fuzzy Hash: 33E11D74E002198FDB54DFA9C5809AEFBF2FF89305F248169E415A7359D730A942CFA0

Function 06FD3F50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c7284b8b23eb94f8cf95360f886e015a91c6012e7cc6f63b48b33f61c1267b
Instruction ID: ba852398a3d2fda275eb577242f3f2266d161a7d56087c8297a876150623ce88
Opcode Fuzzy Hash: 33c7284b8b23eb94f8cf95360f886e015a91c6012e7cc6f63b48b33f61c1267b
Instruction Fuzzy Hash: C0E12C74E002198FDB54DFA9C5809AEFBF2FF89305F288169E415AB359D730A942CF60

Function 06FD6590 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18686adfa6647864573e8c64cfc1694131e4d71aa3c78f2d01fc201cb9463b0a
Instruction ID: ea77ffc4bbec529c65c6e5381e7f03ef1eb31f4de294d21e893753037330201f
Opcode Fuzzy Hash: 18686adfa6647864573e8c64cfc1694131e4d71aa3c78f2d01fc201cb9463b0a
Instruction Fuzzy Hash: 87E10D74E002198FDB54DFA9C5809AEFBF2FF89305F288169E415AB359D730A942CF61

Function 06FD4388 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7831233b510b4d90921d73445606d4f6d6087276095381b882dc5256e40378b3
Instruction ID: 6aaf3bdb7d4d82f8365ecc6a32a90e1996ae94043a81c4e9c56bc95cd0484a3f
Opcode Fuzzy Hash: 7831233b510b4d90921d73445606d4f6d6087276095381b882dc5256e40378b3
Instruction Fuzzy Hash: 4AE1FC74E002198FDB54DFA9C580AAEFBF2FF89305F288169E415AB359D731A941CF60

Function 06FD3B18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6936c5c1776ee2908f4243c13a8472b9065814b6313c90c72d2d442a16236a
Instruction ID: eaff64b78283532b40e5a31fafc6b304917345aa62ccc58cfff8920e3c40c719
Opcode Fuzzy Hash: fd6936c5c1776ee2908f4243c13a8472b9065814b6313c90c72d2d442a16236a
Instruction Fuzzy Hash: 5EE11975E002198FDB54DFA9C5809AEFBF2FF89304F288169E505AB359C730A942CF61

Function 0267DFB4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3390200713.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4deee1760405051dbe9c74401645204c68b44496997a13ee08b1c8004d9c5cc
Instruction ID: 4492bc34193f29f37db95d13d185b796cd85a433f209ac93ae9550c44c99ef03
Opcode Fuzzy Hash: a4deee1760405051dbe9c74401645204c68b44496997a13ee08b1c8004d9c5cc
Instruction Fuzzy Hash: 06A14D36E002158FCF05DFB4E84499EB7B2FF85304B2545AEE905AB265DB32E956CB80

Function 06FD4379 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886fa59aefff1b6b3f1a636f50cfb6e64de20b7c10883ae6f5755560aca6d518
Instruction ID: 89e09638460572f806042a5297c21cd4401e1477e3451652906d2bf037039c14
Opcode Fuzzy Hash: 886fa59aefff1b6b3f1a636f50cfb6e64de20b7c10883ae6f5755560aca6d518
Instruction Fuzzy Hash: 71512C75E002198FDB54CFA9C581AAEFBF2FF89304F248169D418A7355D731A942CFA1

Function 06FD5FA7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3394246450.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_0I9GLRSiy0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9d611d6bfec3a61add3bac719860904c7519636a9aa7e7376d2bc2fc87f7bf
Instruction ID: 1586a998fe33d257ce5630ebabfc326287b9dd8ea5d204c968ace4dd59c03597
Opcode Fuzzy Hash: 8d9d611d6bfec3a61add3bac719860904c7519636a9aa7e7376d2bc2fc87f7bf
Instruction Fuzzy Hash: B4512A74E002198FDB54DFA9C5809AEFBF2FF89344F248169D418AB355D731A942CFA1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0I9GLRSiy0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
0I9GLRSiy0.exe

Function 0A91DF00 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 06FDC610 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0267D450 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 0267D460 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0267B1C8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 026744B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0267590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 06FDC60F Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 0267D6A1 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0267D6A8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0267B3B8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0A91DCE1 Relevance: 1.5, APIs: 1, Instructions: 47
comCOMMON

Function 0A91C688 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON