Loading ...

Play interactive tourEdit tour

Analysis Report New quotation.exe

Overview

General Information

Sample Name:New quotation.exe
Analysis ID:299612
MD5:4e1892ddf9a733ed068855c75ad5e1a3
SHA1:6b90b97daad055506d9fa70e93f33271c78e028a
SHA256:71fd91125c6e138188f4f03e12569bce2994002b07d413d57229893e0a1cb39c
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • New quotation.exe (PID: 6164 cmdline: 'C:\Users\user\Desktop\New quotation.exe' MD5: 4E1892DDF9A733ED068855C75AD5E1A3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "08DgJtxdhMCOIT", "URL: ": "https://Uedzr4SKhorH.com", "To: ": "chuksanderson@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "EdqNoe50M8AZ1Rc", "From: ": "chuksanderson@hybridgroupco.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.665091448.00000000041E2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.916750264.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.665196687.00000000042C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.New quotation.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: New quotation.exe.4112.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "08DgJtxdhMCOIT", "URL: ": "https://Uedzr4SKhorH.com", "To: ": "chuksanderson@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "EdqNoe50M8AZ1Rc", "From: ": "chuksanderson@hybridgroupco.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: New quotation.exeVirustotal: Detection: 31%Perma Link
              Source: New quotation.exeReversingLabs: Detection: 18%
              Machine Learning detection for sampleShow sources
              Source: New quotation.exeJoe Sandbox ML: detected
              Source: 1.2.New quotation.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: global trafficTCP traffic: 192.168.2.4:49759 -> 66.70.204.222:587
              Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
              Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
              Source: global trafficTCP traffic: 192.168.2.4:49759 -> 66.70.204.222:587
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0160A09A recv,1_2_0160A09A
              Source: unknownDNS traffic detected: queries for: mail.hybridgroupco.com
              Source: New quotation.exe, 00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: New quotation.exe, 00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: New quotation.exe, 00000001.00000002.917506766.000000000145B000.00000004.00000020.sdmpString found in binary or memory: http://go.mi
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
              Source: New quotation.exeString found in binary or memory: http://tempuri.org/supermartDataSet.xsd
              Source: New quotation.exeString found in binary or memory: http://tempuri.org/supermartDataSet.xsdQhttp://tempuri.org/supermartDataSet2.xsd
              Source: New quotation.exeString found in binary or memory: http://tempuri.org/supermartDataSet1.xsd
              Source: New quotation.exeString found in binary or memory: http://tempuri.org/supermartDataSet1.xsdYSELECT
              Source: New quotation.exeString found in binary or memory: http://tempuri.org/supermartDataSet2.xsd
              Source: New quotation.exe, 00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpString found in binary or memory: http://vLHwJU.com
              Source: New quotation.exe, 00000001.00000002.920158471.000000000347F000.00000004.00000001.sdmpString found in binary or memory: https://Uedzr4SKhorH.com
              Source: New quotation.exe, 00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: New quotation.exe, 00000000.00000002.665091448.00000000041E2000.00000004.00000001.sdmp, New quotation.exe, 00000001.00000002.916750264.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: New quotation.exe, 00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: New quotation.exe, 00000000.00000002.665091448.00000000041E2000.00000004.00000001.sdmp, New quotation.exe, 00000001.00000002.916750264.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: New quotation.exe, 00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 1.2.New quotation.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA01272EAu002d564Bu002d4A9Cu002dAC9Fu002d821796E7C77Fu007d/u0038EFB8C04u002d8A9Cu002d4994u002d8CFBu002d16B96781E79B.csLarge array initialization: .cctor: array initializer size 12005
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: New quotation.exe
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_056A151A NtQuerySystemInformation,0_2_056A151A
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_056A14DF NtQuerySystemInformation,0_2_056A14DF
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0160B0BA NtQuerySystemInformation,1_2_0160B0BA
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0160B089 NtQuerySystemInformation,1_2_0160B089
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_0095B7F90_2_0095B7F9
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D470E00_2_02D470E0
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D434EA0_2_02D434EA
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D461C00_2_02D461C0
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D4DDF80_2_02D4DDF8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D4D9480_2_02D4D948
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D451700_2_02D45170
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D47EC80_2_02D47EC8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D48EF90_2_02D48EF9
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D47E810_2_02D47E81
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D4C6A00_2_02D4C6A0
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D446120_2_02D44612
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D4D3D80_2_02D4D3D8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D48BF10_2_02D48BF1
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D49FEF0_2_02D49FEF
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D487900_2_02D48790
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D493700_2_02D49370
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D493600_2_02D49360
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D48F080_2_02D48F08
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D40CF00_2_02D40CF0
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D490F80_2_02D490F8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D470B10_2_02D470B1
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D450460_2_02D45046
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D4704F0_2_02D4704F
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D4CC280_2_02D4CC28
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D489500_2_02D48950
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D489600_2_02D48960
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D495100_2_02D49510
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_02D491080_2_02D49108
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_05E900700_2_05E90070
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_05E9004B0_2_05E9004B
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_00C5B7F91_2_00C5B7F9
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_055F93941_2_055F9394
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_055FD0D01_2_055FD0D0
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_055F0A981_2_055F0A98
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_055FAC901_2_055FAC90
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_055F64801_2_055F6480
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_06063E881_2_06063E88
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_060638F81_2_060638F8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_06061AF81_2_06061AF8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0612BBD81_2_0612BBD8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_061257401_2_06125740
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_061200701_2_06120070
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0612D6E81_2_0612D6E8
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_061200061_2_06120006
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0612D6881_2_0612D688
              Source: New quotation.exe, 00000000.00000000.652052369.00000000009F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYU.exe6 vs New quotation.exe
              Source: New quotation.exe, 00000000.00000002.665712876.0000000005710000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs New quotation.exe
              Source: New quotation.exe, 00000000.00000002.665645984.00000000056B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New quotation.exe
              Source: New quotation.exe, 00000000.00000002.665091448.00000000041E2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewaxkhngnqaTOvZFOhVYBxplbssCrroPmXyrvm.exe4 vs New quotation.exe
              Source: New quotation.exe, 00000000.00000002.665968324.0000000005B30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs New quotation.exe
              Source: New quotation.exe, 00000001.00000002.922260074.0000000005FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs New quotation.exe
              Source: New quotation.exe, 00000001.00000002.917435111.00000000013E8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs New quotation.exe
              Source: New quotation.exe, 00000001.00000000.659683994.0000000000CF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYU.exe6 vs New quotation.exe
              Source: New quotation.exe, 00000001.00000002.922072236.0000000005D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs New quotation.exe
              Source: New quotation.exe, 00000001.00000002.921675100.0000000005830000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs New quotation.exe
              Source: New quotation.exe, 00000001.00000002.916750264.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewaxkhngnqaTOvZFOhVYBxplbssCrroPmXyrvm.exe4 vs New quotation.exe
              Source: New quotation.exeBinary or memory string: OriginalFilenameYU.exe6 vs New quotation.exe
              Source: C:\Users\user\Desktop\New quotation.exeSection loaded: security.dllJump to behavior
              Source: 1.2.New quotation.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.New quotation.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_056A105E AdjustTokenPrivileges,0_2_056A105E
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 0_2_056A1027 AdjustTokenPrivileges,0_2_056A1027
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0160AF3E AdjustTokenPrivileges,1_2_0160AF3E
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0160AF19 AdjustTokenPrivileges,1_2_0160AF19
              Source: C:\Users\user\Desktop\New quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\New quotation.exe.logJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: New quotation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\New quotation.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New quotation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\New quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[purchase] SET [sup_id] = @sup_id, [item_id] = @item_id, [cost_price] = @cost_price, [quantity] = @quantity, [unit] = @unit, [entry_date] = @entry_date, [selling_price] = @selling_price WHERE (([purchase_id] = @Original_purchase_id) AND ([sup_id] = @Original_sup_id) AND ([item_id] = @Original_item_id) AND ([cost_price] = @Original_cost_price) AND ([quantity] = @Original_quantity) AND ([unit] = @Original_unit) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_selling_price = 1 AND [selling_price] IS NULL) OR ([selling_price] = @Original_selling_price)));
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[supplier] SET [sup_address] = @sup_address, [sup_phone] = @sup_phone, [entry_date] = @entry_date, [purchase_id] = @purchase_id WHERE (([sup_id] = @Original_sup_id) AND ((@IsNull_sup_address = 1 AND [sup_address] IS NULL) OR ([sup_address] = @Original_sup_address)) AND ((@IsNull_sup_phone = 1 AND [sup_phone] IS NULL) OR ([sup_phone] = @Original_sup_phone)) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_purchase_id = 1 AND [purchase_id] IS NULL) OR ([purchase_id] = @Original_purchase_id)));
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[supplier] ([sup_address], [sup_phone], [entry_date], [purchase_id]) VALUES (@sup_address, @sup_phone, @entry_date, @purchase_id);
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[sale] SET [cus_id] = @cus_id, [item_id] = @item_id, [quantity] = @quantity, [date] = @date, [total_price] = @total_price, [selling_price] = @selling_price WHERE (([sale_id] = @Original_sale_id) AND ([cus_id] = @Original_cus_id) AND ([item_id] = @Original_item_id) AND ([quantity] = @Original_quantity) AND ([date] = @Original_date) AND ([total_price] = @Original_total_price) AND ((@IsNull_selling_price = 1 AND [selling_price] IS NULL) OR ([selling_price] = @Original_selling_price)));
              Source: New quotation.exeBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date]) VALUES (@item_name, @quantity, @price, @date); SELECT item_id,
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[purchase] ([sup_id], [item_id], [cost_price], [quantity], [unit], [entry_date], [selling_price]) VALUES (@sup_id, @item_id, @cost_price, @quantity, @unit, @entry_date, @selling_price);
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[sale] SET [cus_id] = @cus_id, [item_id] = @item_id, [quantity] = @quantity, [selling_price] = @selling_price, [date] = @date WHERE (([sale_id] = @Original_sale_id) AND ([cus_id] = @Original_cus_id) AND ([item_id] = @Original_item_id) AND ([quantity] = @Original_quantity) AND ([selling_price] = @Original_selling_price) AND ([date] = @Original_date));
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[supplier] ([sup_address], [sup_phone], [entry_date], [sup_name]) VALUES (@sup_address, @sup_phone, @entry_date, @sup_name);
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date]) VALUES (@item_name, @quantity, @price, @date);
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[item] SET [item_name] = @item_name, [quantity] = @quantity, [price] = @price, [date] = @date WHERE (([item_id] = @Original_item_id) AND ([item_name] = @Original_item_name) AND ([quantity] = @Original_quantity) AND ([price] = @Original_price) AND ([date] = @Original_date));
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[sale] ([cus_id], [item_id], [quantity], [selling_price], [date]) VALUES (@cus_id, @item_id, @quantity, @selling_price, @date);
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date], [selling_price]) VALUES (@item_name, @quantity, @price, @date, @selling_price);
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[customer] ([cus_name], [cus_phone], [cus_address], [entry_date]) VALUES (@cus_name, @cus_phone, @cus_address, @entry_date);
              Source: New quotation.exe, 00000000.00000002.660389826.0000000000952000.00000002.00020000.sdmp, New quotation.exe, 00000001.00000000.659570891.0000000000C52000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[supplier] SET [sup_address] = @sup_address, [sup_phone] = @sup_phone, [entry_date] = @entry_date, [sup_name] = @sup_name WHERE (([sup_id] = @Original_sup_id) AND ((@IsNull_sup_address = 1 AND [sup_address] IS NULL) OR ([sup_address] = @Original_sup_address)) AND ((@IsNull_sup_phone = 1 AND [sup_phone] IS NULL) OR ([sup_phone] = @Original_sup_phone)) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_sup_name = 1 AND [sup_name] IS NULL) OR ([sup_name] = @Original_sup_name)));
              Source: New quotation.exeVirustotal: Detection: 31%
              Source: New quotation.exeReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Users\user\Desktop\New quotation.exe 'C:\Users\user\Desktop\New quotation.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\New quotation.exe {path}
              Source: C:\Users\user\Desktop\New quotation.exeProcess created: C:\Users\user\Desktop\New quotation.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: New quotation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\New quotation.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: New quotation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorrc.pdb source: New quotation.exe, 00000000.00000002.665645984.00000000056B0000.00000002.00000001.sdmp
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_055FBCF0 push eax; iretd 1_2_055FC071
              Source: initial sampleStatic PE information: section name: .text entropy: 7.23173900398
              Source: C:\Users\user\Desktop\New quotation.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: Process Memory Space: New quotation.exe PID: 6164, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239906Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239750Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239656Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239547Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239453Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239344Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239203Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239094Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 239000Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238906Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238750Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238656Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238547Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238406Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238297Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238203Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 238000Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237906Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237750Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237656Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237453Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237344Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237203Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237094Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 237000Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 236906Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 236797Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 236656Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6384Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239203s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -239000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238297s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238203s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -238000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237203s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -237000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -236906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -236797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4488Thread sleep time: -236656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 4544Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -84750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -55000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -53500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -70500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -66000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -40500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -89718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -59406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -88359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -86718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -57406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -56312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -55406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -82029s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -53812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -53406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -51406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -50500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -50312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -74109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -49000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -48312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -47500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -46812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -46406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -68859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -45312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -44812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -44406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -42000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -41812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -40906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -58359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -57000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -56718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -55359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -53718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -34906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -51750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -33812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -32500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -32312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -47859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -46500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -46218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -30312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -44859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -44250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -43218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -42609s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -41250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -39609s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -35718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -30750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -58686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -57594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -56686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -55812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -55594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -51594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -49186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -48094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -43312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -42186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -41312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -39812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -38686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -36686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -35594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -34094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -32812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -31686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exe TID: 6760Thread sleep time: -30594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New quotation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\New quotation.exeLast function: Thread delayed
              Source: New quotation.exe, 00000001.00000002.921675100.0000000005830000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: New quotation.exe, 00000001.00000002.917506766.000000000145B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New quotation.exe, 00000001.00000002.921675100.0000000005830000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: New quotation.exe, 00000001.00000002.921675100.0000000005830000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: New quotation.exe, 00000000.00000002.662250058.0000000003131000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: New quotation.exe, 00000001.00000002.917620175.00000000014C4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: New quotation.exe, 00000001.00000002.921675100.0000000005830000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\New quotation.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_055FC7C8 LdrInitializeThunk,1_2_055FC7C8
              Source: C:\Users\user\Desktop\New quotation.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\New quotation.exeMemory written: C:\Users\user\Desktop\New quotation.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeProcess created: C:\Users\user\Desktop\New quotation.exe {path}Jump to behavior
              Source: New quotation.exe, 00000001.00000002.917794553.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: New quotation.exe, 00000001.00000002.917794553.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: New quotation.exe, 00000001.00000002.917794553.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: New quotation.exe, 00000001.00000002.917794553.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\New quotation.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeCode function: 1_2_0160BB16 GetUserNameW,1_2_0160BB16
              Source: C:\Users\user\Desktop\New quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.919853636.0000000003411000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.665091448.00000000041E2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.916750264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.665196687.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.920158471.000000000347F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New quotation.exe PID: 6164, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New quotation.exe PID: 4112, type: MEMORY
              Source: Yara matchFile source: 1.2.New quotation.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\New quotation.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\New quotation.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\New quotation.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources