Analysis Report Mixtec New Order And Price List Requsting Form_pdf.exe

Overview

General Information

Sample Name: Mixtec New Order And Price List Requsting Form_pdf.exe
Analysis ID: 323806
MD5: efab4797e8f0bd00f13d6303b9875ca9
SHA1: 4020126b35149fafa6447dbdfd3183a5d9c35dc8
SHA256: 961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0
Tags: exe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Mixtec New Order And Price List Requsting Form_pdf.exe ReversingLabs: Detection: 47%
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.Mixtec New Order And Price List Requsting Form_pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_057C8030
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_057C8021

Networking:

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp String found in binary or memory: http://HIScld.com
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/0
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/02
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/05
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917047288.0000000002F9B000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.677332059.0000000003E9D000.00000004.00000001.sdmp, Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.914822411.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1383627647:AAFPZ_rXJwpP1cKfEFo3ihYu1fzqORkFnc8/
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917047288.0000000002F9B000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1383627647:AAFPZ_rXJwpP1cKfEFo3ihYu1fzqORkFnc8/sendDocument
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1383627647:AAFPZ_rXJwpP1cKfEFo3ihYu1fzqORkFnc8/sendDocumentdocument-----
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917047288.0000000002F9B000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.orgx&
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.917110372.0000000002FD3000.00000004.00000001.sdmp String found in binary or memory: https://certs.godaddy.com/repository/0
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp String found in binary or memory: https://p88gKnqaJsC65fXB.com
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.677332059.0000000003E9D000.00000004.00000001.sdmp, Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.914822411.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Jump to behavior
Creates a DirectInput object (often for capturing keystrokes)
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674411467.0000000000F8B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 1.2.Mixtec New Order And Price List Requsting Form_pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b83E249E6u002d0FA4u002d488Bu002d9B33u002d7850B58306A6u007d/u0033B55211Eu002dFDCFu002d4D12u002d9CD8u002d684DBF270439.cs Large array initialization: .cctor: array initializer size 12015
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Mixtec New Order And Price List Requsting Form_pdf.exe
Source: initial sample Static PE information: Filename: Mixtec New Order And Price List Requsting Form_pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_00F228C8 0_2_00F228C8
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB0A98 0_2_02AB0A98
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB7DA8 0_2_02AB7DA8
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB0A87 0_2_02AB0A87
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02ABA2F7 0_2_02ABA2F7
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB23A8 0_2_02AB23A8
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB23A4 0_2_02AB23A4
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB8F21 0_2_02AB8F21
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB8F58 0_2_02AB8F58
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB91A8 0_2_02AB91A8
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB919B 0_2_02AB919B
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB7D99 0_2_02AB7D99
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB8128 0_2_02AB8128
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_057C5078 0_2_057C5078
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_057C5978 0_2_057C5978
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_057C596B 0_2_057C596B
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_057C0070 0_2_057C0070
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_057C506B 0_2_057C506B
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_057C0007 0_2_057C0007
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_009A15B0 1_2_009A15B0
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_009AB321 1_2_009AB321
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_009A3B58 1_2_009A3B58
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_009A2978 1_2_009A2978
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_02B4F000 1_2_02B4F000
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_02B47DC8 1_2_02B47DC8
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_02B49920 1_2_02B49920
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_02B4B510 1_2_02B4B510
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_02B4DD40 1_2_02B4DD40
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_02B4B502 1_2_02B4B502
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_05E62028 1_2_05E62028
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_05E67C30 1_2_05E67C30
PE file contains strange resources
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Binary or memory string: OriginalFilename vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameOFmhYfgSpqzwYTgbszUPCHXXkbguUzFFnTX.exe4 vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674411467.0000000000F8B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000000.649352887.0000000000772000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLvzz.exe@ vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.678526761.0000000005680000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKedermister.dllT vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.678195672.00000000051F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Binary or memory string: OriginalFilename vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915597950.00000000011C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915338107.0000000000FEA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.914822411.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameOFmhYfgSpqzwYTgbszUPCHXXkbguUzFFnTX.exe4 vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915612587.00000000011D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.918058134.0000000005240000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915499326.00000000010E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.914865663.00000000007C2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLvzz.exe@ vs Mixtec New Order And Price List Requsting Form_pdf.exe
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Binary or memory string: OriginalFilenameLvzz.exe@ vs Mixtec New Order And Price List Requsting Form_pdf.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Section loaded: security.dll Jump to behavior
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1.2.Mixtec New Order And Price List Requsting Form_pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Mixtec New Order And Price List Requsting Form_pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Mixtec New Order And Price List Requsting Form_pdf.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Mixtec New Order And Price List Requsting Form_pdf.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe 'C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe'
Source: unknown Process created: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process created: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Mixtec New Order And Price List Requsting Form_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.678195672.00000000051F0000.00000002.00000001.sdmp, Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915499326.00000000010E0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, erSe.cs .Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Mixtec New Order And Price List Requsting Form_pdf.exe.770000.0.unpack, erSe.cs .Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Mixtec New Order And Price List Requsting Form_pdf.exe.770000.0.unpack, erSe.cs .Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Mixtec New Order And Price List Requsting Form_pdf.exe.7c0000.1.unpack, erSe.cs .Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Mixtec New Order And Price List Requsting Form_pdf.exe.7c0000.0.unpack, erSe.cs .Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_00F38BC4 push ecx; ret 0_2_00F38BC5
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_00F38BC8 push ebp; ret 0_2_00F38BC9
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AB6515 push edx; retf 0_2_02AB651B
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_02AC104C push edi; ret 0_2_02AC104D
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_009AD0CF push ss; iretd 1_2_009AD0D1
Source: initial sample Static PE information: section name: .text entropy: 7.36789714747

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File created: \mixtec new order and price list requsting form_pdf.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon (5001).png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.674981503.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mixtec New Order And Price List Requsting Form_pdf.exe PID: 4680, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 5944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 3120 Thread sleep time: -53028s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 584 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep count: 271 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -8130000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -747650s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -149535s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -478240s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -508147s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -1492950s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -1015240s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe TID: 6588 Thread sleep time: -59688s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Last function: Thread delayed
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.918058134.0000000005240000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.918058134.0000000005240000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.918058134.0000000005240000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674436187.0000000000FBB000.00000004.00000020.sdmp, Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915394985.000000000105C000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000000.00000002.674943529.0000000002E11000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.918058134.0000000005240000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 1_2_009A0E08 LdrInitializeThunk, 1_2_009A0E08
Enables debug privileges
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Memory written: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Process created: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Jump to behavior
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915704420.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915704420.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915704420.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Mixtec New Order And Price List Requsting Form_pdf.exe, 00000001.00000002.915704420.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.914822411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677332059.0000000003E9D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mixtec New Order And Price List Requsting Form_pdf.exe PID: 6008, type: MEMORY
Source: Yara match File source: Process Memory Space: Mixtec New Order And Price List Requsting Form_pdf.exe PID: 4680, type: MEMORY
Source: Yara match File source: 1.2.Mixtec New Order And Price List Requsting Form_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mixtec New Order And Price List Requsting Form_pdf.exe PID: 6008, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.914822411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677332059.0000000003E9D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.916693049.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mixtec New Order And Price List Requsting Form_pdf.exe PID: 6008, type: MEMORY
Source: Yara match File source: Process Memory Space: Mixtec New Order And Price List Requsting Form_pdf.exe PID: 4680, type: MEMORY
Source: Yara match File source: 1.2.Mixtec New Order And Price List Requsting Form_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_05010A8E listen, 0_2_05010A8E
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_05010E9E bind, 0_2_05010E9E
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_05010A50 CreateMutexW,listen, 0_2_05010A50
Source: C:\Users\user\Desktop\Mixtec New Order And Price List Requsting Form_pdf.exe Code function: 0_2_05010E6B bind, 0_2_05010E6B
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 unknown United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true