Analysis Report Proforma Invoice with Bank Details_pdf.exe

Overview

General Information

Sample Name: Proforma Invoice with Bank Details_pdf.exe
Analysis ID: 323892
MD5: 8816ae2d440c50e7ec52be21ae6e2b22
SHA1: 210289b9df203f83f263fe2530aa28c078b8d6c1
SHA256: d2146d63100b68c87046aa63c8e5b73a8893e171f24c3500070005ccea0eaacd
Tags: AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: MSBuild.exe.6744.3.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "umfkxJ05b", "URL: ": "http://AAETsHFcmz5EiUda3E.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IvIoSkuTkG", "From: ": ""}
Multi AV Scanner detection for domain / URL
Source: mail.hybridgroupco.com Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: Proforma Invoice with Bank Details_pdf.exe Virustotal: Detection: 30% Perma Link
Source: Proforma Invoice with Bank Details_pdf.exe ReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\folder\file.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Proforma Invoice with Bank Details_pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.MSBuild.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49725 -> 66.70.204.222:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 66.70.204.222 66.70.204.222
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49725 -> 66.70.204.222:587
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 104.108.38.112
Source: unknown TCP traffic detected without corresponding DNS query: 104.108.38.112
Source: unknown TCP traffic detected without corresponding DNS query: 205.185.216.10
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 104.108.60.202
Source: unknown TCP traffic detected without corresponding DNS query: 104.108.60.202
Source: unknown TCP traffic detected without corresponding DNS query: 104.108.60.202
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 104.80.21.45
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 205.185.216.10
Source: unknown TCP traffic detected without corresponding DNS query: 67.27.233.126
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 67.27.233.126
Source: unknown TCP traffic detected without corresponding DNS query: 205.185.216.10
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 67.27.233.126
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown DNS traffic detected: queries for: mail.hybridgroupco.com
Source: Proforma Invoice with Bank Details_pdf.exe, Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://127.0.0.1:
Source: MSBuild.exe, 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp String found in binary or memory: http://AAETsHFcmz5EiUda3E.net
Source: MSBuild.exe, 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp String found in binary or memory: http://AAETsHFcmz5EiUda3E.net0
Source: Proforma Invoice with Bank Details_pdf.exe, Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Proforma Invoice with Bank Details_pdf.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/
Source: Proforma Invoice with Bank Details_pdf.exe, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49679

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Proforma Invoice with Bank Details_pdf.exe
Source: initial sample Static PE information: Filename: Proforma Invoice with Bank Details_pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C550D1 0_2_00C550D1
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C56845 0_2_00C56845
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C5584D 0_2_00C5584D
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C4A1A4 0_2_00C4A1A4
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C48283 0_2_00C48283
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C493F9 0_2_00C493F9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C48B8F 0_2_00C48B8F
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C4E3B9 0_2_00C4E3B9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C54B61 0_2_00C54B61
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C545F1 0_2_00C545F1
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C48FC4 0_2_00C48FC4
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C47F60 0_2_00C47F60
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C48777 0_2_00C48777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FADCB9 3_2_04FADCB9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA7AA0 3_2_04FA7AA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA9498 3_2_04FA9498
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FACC4F 3_2_04FACC4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA821F 3_2_04FA821F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FAEC1F 3_2_04FAEC1F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04F90006 3_2_04F90006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA31F8 3_2_04FA31F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA3588 3_2_04FA3588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA1568 3_2_04FA1568
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA713E 3_2_04FA713E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA9120 3_2_04FA9120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA1D20 3_2_04FA1D20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA3588 3_2_04FA3588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA56E3 3_2_04FA56E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA28C8 3_2_04FA28C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA28BA 3_2_04FA28BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA58BD 3_2_04FA58BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FAA4B2 3_2_04FAA4B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA2099 3_2_04FA2099
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA7A8F 3_2_04FA7A8F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA564A 3_2_04FA564A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA9E18 3_2_04FA9E18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FAB7F8 3_2_04FAB7F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA49CE 3_2_04FA49CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA85C1 3_2_04FA85C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA7BA8 3_2_04FA7BA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA7F88 3_2_04FA7F88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA6B82 3_2_04FA6B82
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FACC4F 3_2_04FACC4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA577C 3_2_04FA577C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA1558 3_2_04FA1558
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA6D45 3_2_04FA6D45
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA2136 3_2_04FA2136
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA1D10 3_2_04FA1D10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F307F0 3_2_05F307F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F359C8 3_2_05F359C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F35370 3_2_05F35370
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F33740 3_2_05F33740
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F30D10 3_2_05F30D10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F37710 3_2_05F37710
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F31CC0 3_2_05F31CC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F38658 3_2_05F38658
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F37E08 3_2_05F37E08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F37DF8 3_2_05F37DF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F307D3 3_2_05F307D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F30DCD 3_2_05F30DCD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F363CC 3_2_05F363CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F30DBB 3_2_05F30DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F33731 3_2_05F33731
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F31115 3_2_05F31115
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F30D01 3_2_05F30D01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F37700 3_2_05F37700
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F308D6 3_2_05F308D6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F31CB3 3_2_05F31CB3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F372BC 3_2_05F372BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F31EA3 3_2_05F31EA3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F30E93 3_2_05F30E93
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F37E87 3_2_05F37E87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F30E6A 3_2_05F30E6A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F38648 3_2_05F38648
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F30A2A 3_2_05F30A2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F32414 3_2_05F32414
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F4A148 3_2_05F4A148
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F4AED0 3_2_05F4AED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F4EAD0 3_2_05F4EAD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F4BE50 3_2_05F4BE50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F4B250 3_2_05F4B250
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: String function: 00C4AF50 appears 39 times
Sample file is different than original file name gathered from version info
Source: Proforma Invoice with Bank Details_pdf.exe Binary or memory string: OriginalFilename vs Proforma Invoice with Bank Details_pdf.exe
Source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000003.205412201.00000000030AF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice with Bank Details_pdf.exe
Source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs Proforma Invoice with Bank Details_pdf.exe
Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 3.2.MSBuild.exe.400000.0.unpack, DPAPI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.MSBuild.exe.400000.0.unpack, DPAPI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe File created: C:\Users\user\AppData\Local\Temp\folder Jump to behavior
Source: Proforma Invoice with Bank Details_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Proforma Invoice with Bank Details_pdf.exe Virustotal: Detection: 30%
Source: Proforma Invoice with Bank Details_pdf.exe ReversingLabs: Detection: 27%
Source: Proforma Invoice with Bank Details_pdf.exe String found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
Source: Proforma Invoice with Bank Details_pdf.exe String found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe File read: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe 'C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml' Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Proforma Invoice with Bank Details_pdf.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000003.205988083.0000000002E00000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000003.205988083.0000000002E00000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000003.00000002.476016918.0000000005E30000.00000002.00000001.sdmp
Source: Proforma Invoice with Bank Details_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Proforma Invoice with Bank Details_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Proforma Invoice with Bank Details_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Proforma Invoice with Bank Details_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Proforma Invoice with Bank Details_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs .Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C5216C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C5216C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C66924 push ebx; iretd 0_2_00C66925
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C662AC pushad ; iretd 0_2_00C662AD
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C66B0A push ecx; ret 0_2_00C66B0B
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C6A41A push edx; retf 0_2_00C6A41E
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C60554 push eax; ret 0_2_00C605B9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C45665 push ecx; ret 0_2_00C45678
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C60608 push eax; ret 0_2_00C605B9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C4AF95 push ecx; ret 0_2_00C4AFA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05893FB7 push cs; retf 3_2_05893FCF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05893F43 push cs; retf 3_2_05893F5B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05893ECF push cs; retf 3_2_05893EE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F341F6 push ebx; iretd 3_2_05F341FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F315E9 push 0000005Dh; ret 3_2_05F315EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F3012A push 69FFFFFFh; ret 3_2_05F30139
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F41722 push 08F2E872h; retf 3_2_05F41728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_05F41712 push 0902E872h; retf 3_2_05F41718

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe File created: C:\Users\user\AppData\Local\Temp\folder\file.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\folder\file.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep count: 338 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -10140000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -149530s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -89673s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -149300s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -179154s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -59780s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -39626s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -39374s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -39250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -489450s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -334016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -39126s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -487875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -366940s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -644028s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -199215s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -271362s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -117192s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -371089s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -58737s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -39124s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -39000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -77812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -31689s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -96955s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -53045s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -58170s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -58218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -52810s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084 Thread sleep time: -31830s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Last function: Thread delayed
Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000003.00000003.315248335.0000000000CCF000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000003.00000003.315248335.0000000000CCF000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Code function: 3_2_04FA9498 LdrInitializeThunk, 3_2_04FA9498
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C5216C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C5216C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C5216C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C5216C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C5216C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C5216C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C41970 mov eax, dword ptr fs:[00000030h] 0_2_00C41970
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C41970 mov eax, dword ptr fs:[00000030h] 0_2_00C41970
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C654C7 mov eax, dword ptr fs:[00000030h] 0_2_00C654C7
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C61CC2 mov eax, dword ptr fs:[00000030h] 0_2_00C61CC2
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C65567 mov eax, dword ptr fs:[00000030h] 0_2_00C65567
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C65504 mov eax, dword ptr fs:[00000030h] 0_2_00C65504
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C4A5C8 GetProcessHeap, 0_2_00C4A5C8
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C4F48B SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C4F48B
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C4F468 SetUnhandledExceptionFilter, 0_2_00C4F468
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 748008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml' Jump to behavior
Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp Binary or memory string: Progman
Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C49D71 cpuid 0_2_00C49D71
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 0_2_00C44897
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_00C50BA1
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_00C4B35D
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00C524CA
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00C515AE
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: EnumSystemLocalesEx, 0_2_00C4F54A
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: GetLocaleInfoEx, 0_2_00C4F560
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_00C50FAA
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry,__invoke_watson,__invoke_watson, 0_2_00C5276E
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C4BDF2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter, 0_2_00C4BDF2
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe Code function: 0_2_00C62DC3 GetUserNameA,CreateFileW,WriteFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessW, 0_2_00C62DC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.473024653.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6744, type: MEMORY
Source: Yara match File source: Process Memory Space: Proforma Invoice with Bank Details_pdf.exe PID: 6672, type: MEMORY
Source: Yara match File source: 0.2.Proforma Invoice with Bank Details_pdf.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6744, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.473024653.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6744, type: MEMORY
Source: Yara match File source: Process Memory Space: Proforma Invoice with Bank Details_pdf.exe PID: 6672, type: MEMORY
Source: Yara match File source: 0.2.Proforma Invoice with Bank Details_pdf.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323892 Sample: Proforma Invoice with Bank ... Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 7 other signatures 2->35 7 Proforma Invoice with Bank Details_pdf.exe 4 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 7->21 dropped 23 C:\...\eb880290d3c747809c5fd1c3af592ae7.xml, XML 7->23 dropped 37 Writes to foreign memory regions 7->37 39 Maps a DLL or memory area into another process 7->39 11 MSBuild.exe 4 7->11         started        15 cmd.exe 1 7->15         started        17 conhost.exe 7->17         started        signatures5 process6 dnsIp7 25 hybridgroupco.com 66.70.204.222, 49725, 587 OVHFR Canada 11->25 27 mail.hybridgroupco.com 11->27 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 3 other signatures 11->47 19 schtasks.exe 1 15->19         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.70.204.222
 unknown Canada
16276 OVHFR true

Contacted Domains

Name IP Active
hybridgroupco.com 66.70.204.222 true
mail.hybridgroupco.com unknown unknown