Analysis Report New PO #0164522433 JAN 2021.gz.exe

Overview

General Information

Sample Name: New PO #0164522433 JAN 2021.gz.exe
Analysis ID: 339125
MD5: 366c006291f6adb53ecdaa39bc1f3c24
SHA1: 5bab58638bffd0b5933f2e266b6f689d9835a9e7
SHA256: 43891ebd12a33234d3776da3e200f2d778cc1a169050f3db729ceb8838f0ebd1
Tags: AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: New PO #0164522433 JAN 2021.gz.exe Virustotal: Detection: 23% Perma Link
Machine Learning detection for sample
Source: New PO #0164522433 JAN 2021.gz.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: New PO #0164522433 JAN 2021.gz.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: New PO #0164522433 JAN 2021.gz.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: http://mWLzHd.com
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmp, New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.572261277.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.223823052.000000000132B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
.NET source code contains very large array initializations
Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b79DC2F01u002dFAFFu002d4FF0u002dBA64u002dE3D4296BD410u007d/AACAB8EDu002d2C83u002d4858u002d8795u002dEEDB395CF94A.cs Large array initialization: .cctor: array initializer size 11780
Detected potential crypto function
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 1_2_00BA9013 1_2_00BA9013
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 1_2_030EC62C 1_2_030EC62C
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 1_2_030EE890 1_2_030EE890
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 1_2_030EE8A0 1_2_030EE8A0
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_00F09013 2_2_00F09013
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_0149094E 2_2_0149094E
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_01490F80 2_2_01490F80
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_0149A602 2_2_0149A602
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_0149A2D0 2_2_0149A2D0
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014C4100 2_2_014C4100
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014C62D0 2_2_014C62D0
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014C0668 2_2_014C0668
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014C19B8 2_2_014C19B8
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014C8A48 2_2_014C8A48
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_01506068 2_2_01506068
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_01501500 2_2_01501500
Sample file is different than original file name gathered from version info
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.223605162.0000000000C6C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEventSourceException.exe@ vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoapName.dll2 vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePositiveSign.dll< vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.223823052.000000000132B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000000.222934806.0000000000FCC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEventSourceException.exe@ vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.573629913.0000000001358000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.572733398.0000000000438000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.gz.exe
Source: New PO #0164522433 JAN 2021.gz.exe Binary or memory string: OriginalFilenameEventSourceException.exe@ vs New PO #0164522433 JAN 2021.gz.exe
Uses 32bit PE files
Source: New PO #0164522433 JAN 2021.gz.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal96.troj.spyw.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO #0164522433 JAN 2021.gz.exe.log Jump to behavior
Source: New PO #0164522433 JAN 2021.gz.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: New PO #0164522433 JAN 2021.gz.exe Virustotal: Detection: 23%
Source: unknown Process created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe 'C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe'
Source: unknown Process created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: New PO #0164522433 JAN 2021.gz.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New PO #0164522433 JAN 2021.gz.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: New PO #0164522433 JAN 2021.gz.exe, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.New PO #0164522433 JAN 2021.gz.exe.ba0000.0.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.New PO #0164522433 JAN 2021.gz.exe.ba0000.0.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.New PO #0164522433 JAN 2021.gz.exe.f00000.0.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.New PO #0164522433 JAN 2021.gz.exe.f00000.1.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014908B8 pushad ; iretd 2_2_014908B9
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014908BA push esp; iretd 2_2_014908C1
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_01491B68 push ecx; retf 2_2_01491B6C
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014967A7 push edi; retn 0000h 2_2_014967A9
Source: initial sample Static PE information: section name: .text entropy: 7.28301049157
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 6120, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Window / User API: threadDelayed 1784 Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Window / User API: threadDelayed 8073 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 2396 Thread sleep time: -52827s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 2168 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 4464 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 4456 Thread sleep count: 1784 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe TID: 4456 Thread sleep count: 8073 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: vmware
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: New PO #0164522433 JAN 2021.gz.exe, 00000001.00000002.224369060.0000000003171000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Code function: 2_2_014C4100 LdrInitializeThunk, 2_2_014C4100
Enables debug privileges
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Process created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Jump to behavior
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: New PO #0164522433 JAN 2021.gz.exe, 00000002.00000002.577700823.0000000001DF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.578500355.0000000003443000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.572261277.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 1288, type: MEMORY
Source: Yara match File source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 6120, type: MEMORY
Source: Yara match File source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.gz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.578256610.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 1288, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.578500355.0000000003443000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.572261277.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.226167520.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 1288, type: MEMORY
Source: Yara match File source: Process Memory Space: New PO #0164522433 JAN 2021.gz.exe PID: 6120, type: MEMORY
Source: Yara match File source: 2.2.New PO #0164522433 JAN 2021.gz.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339125 Sample: New PO #0164522433 JAN 2021... Startdate: 13/01/2021 Architecture: WINDOWS Score: 96 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected AgentTesla 2->16 18 Yara detected AntiVM_3 2->18 20 6 other signatures 2->20 6 New PO #0164522433 JAN 2021.gz.exe 3 2->6         started        process3 file4 12 C:\...12ew PO #0164522433 JAN 2021.gz.exe.log, ASCII 6->12 dropped 9 New PO #0164522433 JAN 2021.gz.exe 2 6->9         started        process5 signatures6 22 Tries to steal Mail credentials (via file access) 9->22 24 Tries to harvest and steal browser information (history, passwords, etc) 9->24
No contacted IP infos