Analysis Report New FedEx paper work review.exe

Overview

General Information

Sample Name: New FedEx paper work review.exe
Analysis ID: 339030
MD5: c359c954a7d104b0a1bde867f86e73a5
SHA1: e647c8aa88a7209463b0dd0daa733759a529806d
SHA256: 306602e7317841b219d25b24ca14f9e50987fe9c9e48b3728bb548dea4557f9d
Tags: AgentTeslaexeFedEx

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: New FedEx paper work review.exe.3912.1.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "mRy89v", "URL: ": "https://jeQsgpMQfgg21VTI.net", "To: ": "recieve@resulthome.xyz", "ByHost: ": "mail.privateemail.com:587", "Password: ": "HXIEqtBQ5tSBy", "From: ": "recieve@resulthome.xyz"}
Multi AV Scanner detection for submitted file
Source: New FedEx paper work review.exe Virustotal: Detection: 30% Perma Link
Source: New FedEx paper work review.exe ReversingLabs: Detection: 25%
Machine Learning detection for sample
Source: New FedEx paper work review.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.New FedEx paper work review.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: New FedEx paper work review.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: New FedEx paper work review.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05D0E610

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://jeQsgpMQfgg21VTI.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 198.54.122.60:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.122.60 198.54.122.60
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 198.54.122.60:587
Source: unknown DNS traffic detected: queries for: mail.privateemail.com
Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: http://TSGxUW.com
Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: New FedEx paper work review.exe, 00000001.00000002.1028955305.00000000031C8000.00000004.00000001.sdmp String found in binary or memory: http://mail.privateemail.com
Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: https://jeQsgpMQfgg21VTI.net
Source: New FedEx paper work review.exe, 00000001.00000002.1028976039.00000000031CE000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: New FedEx paper work review.exe, 00000000.00000002.677503823.0000000004271000.00000004.00000001.sdmp, New FedEx paper work review.exe, 00000001.00000002.1026177897.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: New FedEx paper work review.exe, 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 1.2.New FedEx paper work review.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF4DCDF25u002d48D6u002d47F9u002dA17Au002d5021C92BDF87u007d/ADFED8F4u002d7DE1u002d4966u002dA323u002d08CADB54027F.cs Large array initialization: .cctor: array initializer size 11966
Detected potential crypto function
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_00E06DB9 0_2_00E06DB9
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_031EDB4C 0_2_031EDB4C
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_031EC3A0 0_2_031EC3A0
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_031EE211 0_2_031EE211
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_031EA758 0_2_031EA758
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_031EF838 0_2_031EF838
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_031EF828 0_2_031EF828
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_05D03658 0_2_05D03658
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_05D09670 0_2_05D09670
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_05D09663 0_2_05D09663
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_05D03668 0_2_05D03668
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 0_2_05D04B22 0_2_05D04B22
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0138B698 1_2_0138B698
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0138665C 1_2_0138665C
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01397020 1_2_01397020
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0139A0C8 1_2_0139A0C8
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013924C0 1_2_013924C0
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01394738 1_2_01394738
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01393151 1_2_01393151
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0139318A 1_2_0139318A
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013931E3 1_2_013931E3
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0139E820 1_2_0139E820
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01393331 1_2_01393331
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01393316 1_2_01393316
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013933B7 1_2_013933B7
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01393383 1_2_01393383
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0139323A 1_2_0139323A
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0139321C 1_2_0139321C
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01396298 1_2_01396298
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0139328D 1_2_0139328D
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013932DE 1_2_013932DE
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01393510 1_2_01393510
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01399CB0 1_2_01399CB0
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_0139349B 1_2_0139349B
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013934E0 1_2_013934E0
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01396F80 1_2_01396F80
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013D5D38 1_2_013D5D38
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013D0828 1_2_013D0828
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013DAF98 1_2_013DAF98
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013DD250 1_2_013DD250
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013DC648 1_2_013DC648
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013D7128 1_2_013D7128
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013DA320 1_2_013DA320
Sample file is different than original file name gathered from version info
Source: New FedEx paper work review.exe, 00000000.00000002.680228549.0000000006400000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePositiveSign.dll< vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoapName.dll2 vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesrfpYaXxCpIvMvkSQOGVRoHtylIkrSAz.exe4 vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000000.00000002.674710371.0000000000EB8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStreamTokenReader.exe8 vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000001.00000002.1030749233.00000000061C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000001.00000002.1027347384.0000000001310000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000001.00000002.1026177897.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamesrfpYaXxCpIvMvkSQOGVRoHtylIkrSAz.exe4 vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000001.00000000.674014837.0000000000AE8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStreamTokenReader.exe8 vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe, 00000001.00000002.1026413397.0000000000EF8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New FedEx paper work review.exe
Source: New FedEx paper work review.exe Binary or memory string: OriginalFilenameStreamTokenReader.exe8 vs New FedEx paper work review.exe
Uses 32bit PE files
Source: New FedEx paper work review.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: New FedEx paper work review.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1.2.New FedEx paper work review.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.New FedEx paper work review.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@3/2@1/1
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New FedEx paper work review.exe.log Jump to behavior
Source: New FedEx paper work review.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New FedEx paper work review.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: New FedEx paper work review.exe Virustotal: Detection: 30%
Source: New FedEx paper work review.exe ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Users\user\Desktop\New FedEx paper work review.exe 'C:\Users\user\Desktop\New FedEx paper work review.exe'
Source: unknown Process created: C:\Users\user\Desktop\New FedEx paper work review.exe C:\Users\user\Desktop\New FedEx paper work review.exe
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process created: C:\Users\user\Desktop\New FedEx paper work review.exe C:\Users\user\Desktop\New FedEx paper work review.exe Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: New FedEx paper work review.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New FedEx paper work review.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_013DFC10 pushfd ; iretd 1_2_013DFC61
Source: initial sample Static PE information: section name: .text entropy: 7.44963037864

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New FedEx paper work review.exe PID: 5956, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Window / User API: threadDelayed 992 Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Window / User API: threadDelayed 8862 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 4600 Thread sleep time: -54070s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 4600 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 6480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 5768 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 2440 Thread sleep count: 992 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe TID: 2440 Thread sleep count: 8862 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New FedEx paper work review.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: vmware
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: New FedEx paper work review.exe, 00000000.00000002.675657030.0000000003271000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Code function: 1_2_01397020 LdrInitializeThunk, 1_2_01397020
Enables debug privileges
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Process created: C:\Users\user\Desktop\New FedEx paper work review.exe C:\Users\user\Desktop\New FedEx paper work review.exe Jump to behavior
Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmp Binary or memory string: Progman
Source: New FedEx paper work review.exe, 00000001.00000002.1027752716.0000000001850000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Users\user\Desktop\New FedEx paper work review.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Users\user\Desktop\New FedEx paper work review.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1026177897.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677503823.0000000004271000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New FedEx paper work review.exe PID: 3912, type: MEMORY
Source: Yara match File source: Process Memory Space: New FedEx paper work review.exe PID: 5956, type: MEMORY
Source: Yara match File source: 1.2.New FedEx paper work review.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\New FedEx paper work review.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New FedEx paper work review.exe PID: 3912, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.1028180638.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1026177897.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677503823.0000000004271000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New FedEx paper work review.exe PID: 3912, type: MEMORY
Source: Yara match File source: Process Memory Space: New FedEx paper work review.exe PID: 5956, type: MEMORY
Source: Yara match File source: 1.2.New FedEx paper work review.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339030 Sample: New FedEx paper work review.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 20 Found malware configuration 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected AgentTesla 2->24 26 7 other signatures 2->26 6 New FedEx paper work review.exe 3 2->6         started        process3 file4 14 C:\...14ew FedEx paper work review.exe.log, ASCII 6->14 dropped 9 New FedEx paper work review.exe 2 6->9         started        process5 dnsIp6 18 mail.privateemail.com 198.54.122.60, 49768, 587 NAMECHEAP-NETUS United States 9->18 16 C:\Windows\System32\drivers\etc\hosts, ASCII 9->16 dropped 28 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->28 30 Tries to steal Mail credentials (via file access) 9->30 32 Tries to harvest and steal ftp login credentials 9->32 34 2 other signatures 9->34 file7 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.122.60
unknown United States
22612 NAMECHEAP-NETUS false

Contacted Domains

Name IP Active
mail.privateemail.com 198.54.122.60 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://jeQsgpMQfgg21VTI.net true
  • Avira URL Cloud: safe
unknown