Windows Analysis Report
Documenti di spedizione.bat.exe

Overview

General Information

Sample name: Documenti di spedizione.bat.exe
Analysis ID: 1538406
MD5: c2d72d131fe371481a0cc117bb835f23
SHA1: dd736a4b716d790f1a3b304f265530399e0646aa
SHA256: d5ee11c69acd2903e1d9b6f6b59aabbd66d9a38430fe4a020d48b18707afb9b8
Tags: exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Documenti di spedizione.bat.exe Avira: detected
Found malware configuration
Source: Documenti di spedizione.bat.exe.1216.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
Multi AV Scanner detection for domain / URL
Source: ftp.concaribe.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: Documenti di spedizione.bat.exe Virustotal: Detection: 15% Perma Link
Source: Documenti di spedizione.bat.exe ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Documenti di spedizione.bat.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Documenti di spedizione.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:64703 version: TLS 1.2
Source: Documenti di spedizione.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_0040270B FindFirstFileA, 0_2_0040270B
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_004061FB FindFirstFileA,FindClose, 0_2_004061FB
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405799
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_0040270B FindFirstFileA, 4_2_0040270B
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_004061FB FindFirstFileA,FindClose, 4_2_004061FB
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_00405799
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 192.185.13.234 192.185.13.234
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:64702 -> 84.38.129.16:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rNWbaMk175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rNWbaMk175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ftp.concaribe.com
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3250163188.00000000071D0000.00000004.00001000.00020000.00000000.sdmp, Documenti di spedizione.bat.exe, 00000004.00000002.3249854436.00000000056D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://84.38.129.16/rNWbaMk175.bin
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3249854436.00000000056D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://84.38.129.16/rNWbaMk175.bini
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3268012189.0000000035D3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://concaribe.com
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3268012189.0000000035D3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.concaribe.com
Source: Documenti di spedizione.bat.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Documenti di spedizione.bat.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3268012189.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3268012189.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3268012189.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3268012189.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 64703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64703
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:64703 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_0040524E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040524E

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Documenti di spedizione.bat.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004032BF
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_004032BF
Creates files inside the system directory
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File created: C:\Windows\SysWOW64\lamellate.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_00406542 0_2_00406542
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_00404A8D 0_2_00404A8D
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_00406542 4_2_00406542
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_00404A8D 4_2_00404A8D
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_000D4188 4_2_000D4188
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_000DA214 4_2_000DA214
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_000D4A58 4_2_000D4A58
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_000DAAAB 4_2_000DAAAB
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_000D3E40 4_2_000D3E40
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CEBB90 4_2_38CEBB90
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CEA7DC 4_2_38CEA7DC
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CF3158 4_2_38CF3158
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CF0040 4_2_38CF0040
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CFE468 4_2_38CFE468
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CF7760 4_2_38CF7760
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_39202B98 4_2_39202B98
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CF0038 4_2_38CF0038
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: String function: 00402ACE appears 52 times
Sample file is different than original file name gathered from version info
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3267969907.0000000035B89000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Documenti di spedizione.bat.exe
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3249854436.00000000056D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Documenti di spedizione.bat.exe
Uses 32bit PE files
Source: Documenti di spedizione.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/18@3/3
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004032BF
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_004032BF
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_0040451A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040451A
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar, 0_2_004020CD
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsgCF12.tmp Jump to behavior
Source: Documenti di spedizione.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Documenti di spedizione.bat.exe Virustotal: Detection: 15%
Source: Documenti di spedizione.bat.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File read: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Documenti di spedizione.bat.exe "C:\Users\user\Desktop\Documenti di spedizione.bat.exe"
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process created: C:\Users\user\Desktop\Documenti di spedizione.bat.exe "C:\Users\user\Desktop\Documenti di spedizione.bat.exe"
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process created: C:\Users\user\Desktop\Documenti di spedizione.bat.exe "C:\Users\user\Desktop\Documenti di spedizione.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File written: C:\ProgramData\ankomstperrons.ini Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Documenti di spedizione.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2622907662.0000000007225000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_10002D20 push eax; ret 0_2_10002D4E
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_000D0C55 push edi; retf 4_2_000D0C7A
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_38CF6047 pushad ; iretd 4_2_38CF604E
Drops PE files
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsgDADD.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe API/Special instruction interceptor: Address: 7974D96
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe API/Special instruction interceptor: Address: 3CE4D96
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe RDTSC instruction interceptor: First address: 792047D second address: 792047D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FF0F4F78132h 0x00000006 test dx, DFB8h 0x0000000b inc ebp 0x0000000c test cx, bx 0x0000000f inc ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe RDTSC instruction interceptor: First address: 3C9047D second address: 3C9047D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FF0F4E2A972h 0x00000006 test dx, DFB8h 0x0000000b inc ebp 0x0000000c test cx, bx 0x0000000f inc ebx 0x00000010 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Memory allocated: D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Memory allocated: 35CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Memory allocated: 359B0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599124 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599014 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595948 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595499 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595279 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595171 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594624 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Window / User API: threadDelayed 7521 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Window / User API: threadDelayed 2332 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgDADD.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe API coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 2292 Thread sleep count: 7521 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 2292 Thread sleep count: 2332 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599452s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -599014s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598249s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -597046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595948s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595279s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -595062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -594843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe TID: 5136 Thread sleep time: -594624s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_0040270B FindFirstFileA, 0_2_0040270B
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_004061FB FindFirstFileA,FindClose, 0_2_004061FB
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405799
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_0040270B FindFirstFileA, 4_2_0040270B
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_004061FB FindFirstFileA,FindClose, 4_2_004061FB
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 4_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_00405799
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599124 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 599014 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595948 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595499 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595279 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595171 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Thread delayed: delay time: 594624 Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3249854436.00000000056BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@Oo
Source: Documenti di spedizione.bat.exe, 00000004.00000002.3249854436.00000000056EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Enables debug privileges
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Process created: C:\Users\user\Desktop\Documenti di spedizione.bat.exe "C:\Users\user\Desktop\Documenti di spedizione.bat.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Queries volume information: C:\Users\user\Desktop\Documenti di spedizione.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Code function: 0_2_00405F19 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405F19
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.3268012189.0000000035D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3268012189.0000000035D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Documenti di spedizione.bat.exe PID: 6360, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione.bat.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.3268012189.0000000035D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Documenti di spedizione.bat.exe PID: 6360, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.3268012189.0000000035D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3268012189.0000000035D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Documenti di spedizione.bat.exe PID: 6360, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
192.185.13.234
 concaribe.com United States
46606 UNIFIEDLAYER-AS-1US true
84.38.129.16
 unknown Latvia
203557 DATACLUB-NL false

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
concaribe.com 192.185.13.234 true
ftp.concaribe.com unknown unknown
171.39.242.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown
http://84.38.129.16/rNWbaMk175.bin false
    		unknown