Analysis Report New Order Inquiry.PDF.exe

Overview

General Information

Sample Name: New Order Inquiry.PDF.exe
Analysis ID: 326328
MD5: a0ce94d59dc8204e8cdbce7c4d635d32
SHA1: 8599d6d2c48067e3c29cd751dba94ed06313fd75
SHA256: 415e3b94a339a45d036814c1bfbae3a24befccaf6bbba44a5265613f3aec3ef7
Tags: AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: New Order Inquiry.PDF.exe.6808.2.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "thMm2wh2OXe", "URL: ": "https://8vhVWmhsLg6p.com", "To: ": "billyfunds@divasvalves.com", "ByHost: ": "smtp.divasvalves.com:587", "Password: ": "dz2o9HgMmb", "From: ": "billyfunds@divasvalves.com"}
Machine Learning detection for sample
Source: New Order Inquiry.PDF.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.New Order Inquiry.PDF.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49743 -> 208.91.198.143:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49744 -> 208.91.198.143:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 208.91.198.143:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 208.91.198.143:587
Source: unknown DNS traffic detected: queries for: smtp.divasvalves.com
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: New Order Inquiry.PDF.exe, 00000002.00000002.496450719.00000000035FB000.00000004.00000001.sdmp String found in binary or memory: http://smtp.divasvalves.com
Source: New Order Inquiry.PDF.exe, 00000002.00000002.496450719.00000000035FB000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp String found in binary or memory: http://zwdNmL.com
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp, New Order Inquiry.PDF.exe, 00000002.00000003.445087309.0000000001554000.00000004.00000001.sdmp String found in binary or memory: https://8vhVWmhsLg6p.com
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp String found in binary or memory: https://8vhVWmhsLg6p.comH#7
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: New Order Inquiry.PDF.exe, 00000000.00000002.231364054.0000000003469000.00000004.00000001.sdmp, New Order Inquiry.PDF.exe, 00000002.00000002.489798075.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: New Order Inquiry.PDF.exe, 00000000.00000002.231364054.0000000003469000.00000004.00000001.sdmp, New Order Inquiry.PDF.exe, 00000002.00000002.489798075.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\New Order Inquiry.PDF.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large strings
Source: New Order Inquiry.PDF.exe, MMqB??p??W/??BuWDp??pvBH.cs Long String: Length: 81136
Source: 0.0.New Order Inquiry.PDF.exe.70000.0.unpack, MMqB??p??W/??BuWDp??pvBH.cs Long String: Length: 81136
Source: 0.2.New Order Inquiry.PDF.exe.70000.0.unpack, MMqB??p??W/??BuWDp??pvBH.cs Long String: Length: 81136
Source: 2.2.New Order Inquiry.PDF.exe.ed0000.1.unpack, MMqB??p??W/??BuWDp??pvBH.cs Long String: Length: 81136
Source: 2.0.New Order Inquiry.PDF.exe.ed0000.0.unpack, MMqB??p??W/??BuWDp??pvBH.cs Long String: Length: 81136
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Order Inquiry.PDF.exe
Source: initial sample Static PE information: Filename: New Order Inquiry.PDF.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 0_2_009CA908 0_2_009CA908
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 0_2_009C9CF0 0_2_009C9CF0
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 0_2_009C7F7E 0_2_009C7F7E
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 0_2_009C6B64 0_2_009C6B64
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_016E4860 2_2_016E4860
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_016E3D9C 2_2_016E3D9C
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_016E4770 2_2_016E4770
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_016E4852 2_2_016E4852
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_016E4810 2_2_016E4810
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_016E5550 2_2_016E5550
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_017059F8 2_2_017059F8
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_017008F6 2_2_017008F6
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_01704B30 2_2_01704B30
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_01708D98 2_2_01708D98
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_0170B420 2_2_0170B420
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_01700FB4 2_2_01700FB4
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_0170D928 2_2_0170D928
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_0170D550 2_2_0170D550
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_01709F88 2_2_01709F88
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_01736510 2_2_01736510
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_01735DD8 2_2_01735DD8
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_017323BB 2_2_017323BB
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_017357A0 2_2_017357A0
Sample file is different than original file name gathered from version info
Source: New Order Inquiry.PDF.exe, 00000000.00000002.235583981.0000000005971000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNT1.dll, vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamexQPaXEtXLxQxMXsDyBVeeCdxdcLaKUF.exe4 vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000000.00000000.221683014.0000000000118000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameContinuationTaskFromTask.exe@ vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000000.00000002.231364054.0000000003469000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGlaxoSmithKline.dll@ vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493347759.00000000018D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000002.00000002.489798075.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamexQPaXEtXLxQxMXsDyBVeeCdxdcLaKUF.exe4 vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000002.00000002.499432901.0000000006720000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000002.00000002.491234427.0000000001338000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493326344.00000000018C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe, 00000002.00000002.491149432.0000000000F78000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameContinuationTaskFromTask.exe@ vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe Binary or memory string: OriginalFilenameContinuationTaskFromTask.exe@ vs New Order Inquiry.PDF.exe
Source: New Order Inquiry.PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order Inquiry.PDF.exe.log Jump to behavior
Source: New Order Inquiry.PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File read: C:\Users\user\Desktop\New Order Inquiry.PDF.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Order Inquiry.PDF.exe 'C:\Users\user\Desktop\New Order Inquiry.PDF.exe'
Source: unknown Process created: C:\Users\user\Desktop\New Order Inquiry.PDF.exe C:\Users\user\Desktop\New Order Inquiry.PDF.exe
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process created: C:\Users\user\Desktop\New Order Inquiry.PDF.exe C:\Users\user\Desktop\New Order Inquiry.PDF.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: New Order Inquiry.PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New Order Inquiry.PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_016ED331 push esp; iretd 2_2_016ED33D
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_0173B5FF push edi; retn 0000h 2_2_0173B601
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_0173D458 pushad ; retf 2_2_0173D459
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_0173D44C pushad ; retf 2_2_0173D455
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_017356F0 push es; ret 2_2_01735700
Source: initial sample Static PE information: section name: .text entropy: 7.00471391573

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself to temp directory
Source: c:\users\user\desktop\new order inquiry.pdf.exe File moved: C:\Users\user\AppData\Local\Temp\tmpG468.tmp Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: New Order Inquiry.PDF.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order Inquiry.PDF.exe PID: 6604, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: New Order Inquiry.PDF.exe, 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: New Order Inquiry.PDF.exe, 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Window / User API: threadDelayed 8287 Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Window / User API: threadDelayed 1570 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe TID: 6608 Thread sleep time: -51538s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe TID: 6632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe TID: 3664 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe TID: 5388 Thread sleep count: 8287 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe TID: 5388 Thread sleep count: 1570 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: New Order Inquiry.PDF.exe, 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New Order Inquiry.PDF.exe, 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp Binary or memory string: vmware
Source: New Order Inquiry.PDF.exe, 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: New Order Inquiry.PDF.exe, 00000000.00000002.230902914.0000000002461000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Code function: 2_2_01704068 LdrInitializeThunk, 2_2_01704068
Enables debug privileges
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Process created: C:\Users\user\Desktop\New Order Inquiry.PDF.exe C:\Users\user\Desktop\New Order Inquiry.PDF.exe Jump to behavior
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493438325.0000000001C90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493438325.0000000001C90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493438325.0000000001C90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: New Order Inquiry.PDF.exe, 00000002.00000002.493438325.0000000001C90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Users\user\Desktop\New Order Inquiry.PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Users\user\Desktop\New Order Inquiry.PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.489798075.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.231364054.0000000003469000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order Inquiry.PDF.exe PID: 6604, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order Inquiry.PDF.exe PID: 6808, type: MEMORY
Source: Yara match File source: 2.2.New Order Inquiry.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\New Order Inquiry.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order Inquiry.PDF.exe PID: 6808, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.489798075.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.493883297.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.231364054.0000000003469000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order Inquiry.PDF.exe PID: 6604, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order Inquiry.PDF.exe PID: 6808, type: MEMORY
Source: Yara match File source: 2.2.New Order Inquiry.PDF.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326328 Sample: New Order Inquiry.PDF.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 21 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->21 23 Found malware configuration 2->23 25 Yara detected AgentTesla 2->25 27 9 other signatures 2->27 6 New Order Inquiry.PDF.exe 1 2->6         started        process3 file4 13 C:\Users\...13ew Order Inquiry.PDF.exe.log, ASCII 6->13 dropped 9 New Order Inquiry.PDF.exe 6 6->9         started        process5 dnsIp6 15 smtp.divasvalves.com 9->15 17 us2.smtp.mailhostbox.com 208.91.198.143, 49743, 49744, 587 PUBLIC-DOMAIN-REGISTRYUS United States 9->17 19 192.168.2.1 unknown unknown 9->19 29 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->29 31 Moves itself to temp directory 9->31 33 Tries to steal Mail credentials (via file access) 9->33 35 3 other signatures 9->35 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.198.143 true
smtp.divasvalves.com unknown unknown