Analysis Report PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe

Overview

General Information

Sample Name: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Analysis ID: 324081
MD5: b3cb5b2bc5c3033b1008ed7f7f6312db
SHA1: 3fd8e55a12bdf35200ee43e210951825ad0293d3
SHA256: 042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b
Tags: exe

Most interesting Screenshot:

Detection

AgentTesla
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe ReversingLabs: Detection: 56%
Machine Learning detection for sample
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.1.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknown DNS traffic detected: queries for: discord.com
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp String found in binary or memory: ftp://ftp.kunwersachdev.com/maerst
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp String found in binary or memory: http://JvKUzM.com
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe String found in binary or memory: http://gorohov.narod.ru/index.htm
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe String found in binary or memory: http://gorohov.narod.ru/index.htmS
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Detected potential crypto function
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00408C60 11_2_00408C60
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_0040DC11 11_2_0040DC11
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00407C3F 11_2_00407C3F
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00418CCC 11_2_00418CCC
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00406CA0 11_2_00406CA0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004028B0 11_2_004028B0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_0041A4BE 11_2_0041A4BE
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00418244 11_2_00418244
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00401650 11_2_00401650
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00402F20 11_2_00402F20
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004193C4 11_2_004193C4
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00418788 11_2_00418788
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00402F89 11_2_00402F89
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00402B90 11_2_00402B90
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004073A0 11_2_004073A0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_023EF758 11_2_023EF758
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_023E3D93 11_2_023E3D93
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_023E0C60 11_2_023E0C60
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_023E0C50 11_2_023E0C50
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_04A700E0 11_2_04A700E0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_04A700D0 11_2_04A700D0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_04A70073 11_2_04A70073
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_05BB4950 11_2_05BB4950
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_05BB2A38 11_2_05BB2A38
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_05BB1E20 11_2_05BB1E20
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_05BB2168 11_2_05BB2168
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00408C60 11_1_00408C60
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_0040DC11 11_1_0040DC11
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00407C3F 11_1_00407C3F
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00418CCC 11_1_00418CCC
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00406CA0 11_1_00406CA0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_004028B0 11_1_004028B0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_0041A4BE 11_1_0041A4BE
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00418244 11_1_00418244
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00401650 11_1_00401650
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00402F20 11_1_00402F20
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_004193C4 11_1_004193C4
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00418788 11_1_00418788
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00402F89 11_1_00402F89
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00402B90 11_1_00402B90
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_004073A0 11_1_004073A0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: String function: 0040D606 appears 48 times
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: String function: 0040E1D8 appears 88 times
PE / OLE file has an invalid certificate
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Static PE information: invalid certificate
PE file contains strange resources
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918795043.00000000036E4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLkFCDrqOCOdatOyKIEUEwX.exe4 vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918795043.00000000036E4000.00000004.00000001.sdmp Binary or memory string: OriginalFilename_.dll4 vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919463877.0000000004A40000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919787092.0000000005750000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919446938.0000000004A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919809687.0000000005760000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.917830550.000000000273A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.917830550.000000000273A000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.917830550.000000000273A000.00000004.00000001.sdmp Binary or memory string: 3l,\\StringFileInfo\\040904B0\\OriginalFilename vs PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Section loaded: mscorjit.dll Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winEXE@3/0@2/2
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Command line argument: 08A 11_2_00413780
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Command line argument: 08A 11_2_00413780
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Command line argument: 08A 11_1_00413780
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe ReversingLabs: Detection: 56%
Source: unknown Process created: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe 'C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe'
Source: unknown Process created: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process created: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Static file information: File size 1218752 > 1048576
Source: Binary string: _.pdb source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.918795043.00000000036E4000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Unpacked PE file: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Unpacked PE file: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041C6470 push ecx; mov dword ptr [esp], edx 0_3_041C6475
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DA574 push 0042AB4Bh; ret 0_3_041DA5BB
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041C658C push ecx; mov dword ptr [esp], edx 0_3_041C6591
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041C65D0 push ecx; mov dword ptr [esp], edx 0_3_041C65D5
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041E55CC push ecx; mov dword ptr [esp], ecx 0_3_041E55D0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041D8678 push 00428C2Ch; ret 0_3_041D869C
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041D86B8 push 00428C6Ch; ret 0_3_041D86DC
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041D96A0 push 00429C66h; ret 0_3_041D96D6
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041C46C4 push 00414C99h; ret 0_3_041C4709
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041D96E8 push 00429C9Ch; ret 0_3_041D970C
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041D9720 push 00429CE0h; ret 0_3_041D9750
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041BD77C push 0040DE80h; ret 0_3_041BD8F0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041C478C push 00414D40h; ret 0_3_041C47B0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DF014 push 0042F611h; ret 0_3_041DF081
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DC08C push 0042C640h; ret 0_3_041DC0B0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DF08C push 0042F66Dh; ret 0_3_041DF0DD
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041F1088 push 0044163Ch; ret 0_3_041F10AC
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DC0C4 push 0042C678h; ret 0_3_041DC0E8
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DC0FC push 0042C6B0h; ret 0_3_041DC120
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DE0F8 push 0042E6D9h; ret 0_3_041DE149
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DC13C push 0042C6F0h; ret 0_3_041DC160
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041B613C push 004066F0h; ret 0_3_041B6160
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041BE144 push 0040E6F8h; ret 0_3_041BE168
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DC174 push 0042C728h; ret 0_3_041DC198
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DE194 push 0042E754h; ret 0_3_041DE1C4
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041B61B4 push 00406768h; ret 0_3_041B61D8
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DC1AC push 0042C760h; ret 0_3_041DC1D0
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DB1D4 push 0042B7A8h; ret 0_3_041DB218
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DC1E4 push 0042C798h; ret 0_3_041DC208
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041B71E0 push 00407794h; ret 0_3_041B7204
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 0_3_041DE228 push 0042E7DCh; ret 0_3_041DE24C

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe File created: \pro forma invoice - - magautkcp (24-nov-20).exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Window / User API: threadDelayed 639 Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Window / User API: threadDelayed 9198 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe TID: 5596 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe TID: 5596 Thread sleep time: -45194522980588373s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe TID: 5512 Thread sleep count: 639 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe TID: 5512 Thread sleep count: 9198 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919809687.0000000005760000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919809687.0000000005760000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919809687.0000000005760000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.919809687.0000000005760000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_0040ADB0 GetProcessHeap,HeapFree, 11_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_0040CE09
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_0040E61C
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00416F6A
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_004123F1 SetUnhandledExceptionFilter, 11_2_004123F1
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_1_0040CE09
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_1_0040E61C
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_1_00416F6A
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_1_004123F1 SetUnhandledExceptionFilter, 11_1_004123F1
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Memory written: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Process created: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Jump to behavior
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.916311863.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.916311863.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.916311863.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe, 0000000B.00000002.916311863.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: GetLocaleInfoA, 11_2_00417A20
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: GetLocaleInfoA, 11_1_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 11_2_00412A15
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Code function: 11_2_05BB4744 GetUserNameW, 11_2_05BB4744
Source: C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.918795043.00000000036E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.917038973.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.916512263.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.765764476.000000000086E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.916402342.00000000022A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe PID: 6944, type: MEMORY
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2680000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2380000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2680000.2.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe PID: 6944, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.918795043.00000000036E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.917038973.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.916512263.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.765764476.000000000086E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.918550525.00000000027B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.916402342.00000000022A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe PID: 6944, type: MEMORY
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2680000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2380000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe.2680000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324081 Sample: PRO FORMA INVOICE - - MAGAU... Startdate: 28/11/2020 Architecture: WINDOWS Score: 92 16 Multi AV Scanner detection for submitted file 2->16 18 Detected unpacking (changes PE section rights) 2->18 20 Detected unpacking (overwrites its own PE header) 2->20 22 5 other signatures 2->22 6 PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe 2->6         started        process3 dnsIp4 12 cdn.discordapp.com 162.159.135.233, 443, 49733 CLOUDFLARENETUS United States 6->12 14 discord.com 162.159.137.232, 443, 49732 CLOUDFLARENETUS United States 6->14 24 Injects a PE file into a foreign processes 6->24 10 PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe 2 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.137.232
 unknown United States
13335 CLOUDFLARENETUS false
162.159.135.233
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
discord.com 162.159.137.232 true
cdn.discordapp.com 162.159.135.233 true