Loading ...

Play interactive tourEdit tour

Analysis Report Request For Quotation_pdf.scr

Overview

General Information

Sample Name:Request For Quotation_pdf.scr (renamed file extension from scr to exe)
Analysis ID:339373
MD5:a9125d57b0d4162e7da34d6b8c10836f
SHA1:56bcb534abe3e5111b07b4f502b647fb5584b905
SHA256:4f84f23b927e4a2f6f64d0c824777c1e0edb05f8f83a662ef59617793582cfb6
Tags:AgentTeslascr

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Request For Quotation_pdf.exe (PID: 6644 cmdline: 'C:\Users\user\Desktop\Request For Quotation_pdf.exe' MD5: A9125D57B0D4162E7DA34D6B8C10836F)
    • schtasks.exe (PID: 6852 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: Request For Quotation_pdf.exe PID: 6644JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Request For Quotation_pdf.exe.64c0000.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Request For Quotation_pdf.exe' , ParentImage: C:\Users\user\Desktop\Request For Quotation_pdf.exe, ParentProcessId: 6644, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', ProcessId: 6852

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: Request For Quotation_pdf.exe.6644.0.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeReversingLabs: Detection: 26%
                Multi AV Scanner detection for submitted fileShow sources
                Source: Request For Quotation_pdf.exeReversingLabs: Detection: 26%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Request For Quotation_pdf.exeJoe Sandbox ML: detected
                Source: Request For Quotation_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Request For Quotation_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: https://70m3WJPOC5dv7ww.org
                Source: global trafficTCP traffic: 192.168.2.3:49747 -> 77.88.21.158:587
                Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                Source: global trafficTCP traffic: 192.168.2.3:49747 -> 77.88.21.158:587
                Source: unknownDNS traffic detected: queries for: smtp.yandex.ru
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://mPTCSt.com
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606237650.0000000002D12000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606128052.0000000002CE0000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606399641.0000000002D44000.00000004.00000001.sdmpString found in binary or memory: https://70m3WJPOC5dv7ww.org
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603371760.0000000000D98000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Request For Quotation_pdf.exe
                Source: initial sampleStatic PE information: Filename: Request For Quotation_pdf.exe
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B48BF00_2_00B48BF0
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B427180_2_00B42718
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B453500_2_00B45350
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B4A0B80_2_00B4A0B8
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B4B4E80_2_00B4B4E8
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B444480_2_00B44448
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B45FB00_2_00B45FB0
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B4A7E80_2_00B4A7E8
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_028DC62C0_2_028DC62C
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_028DE8900_2_028DE890
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_028DE8A00_2_028DE8A0
                Source: Request For Quotation_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: FLahHLuGzK.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Request For Quotation_pdf.exe, 00000000.00000002.607460880.0000000003A7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamexjKPyntUGvaYvfCkJdXbGEvM.exe4 vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610086375.0000000006210000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.602119236.000000000064E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603371760.0000000000D98000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exeBinary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/4@1/1
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile created: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\wAUTKAiLyvsCebSuWgxOX
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp91A5.tmpJump to behavior
                Source: Request For Quotation_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Request For Quotation_pdf.exeReversingLabs: Detection: 26%
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Users\user\Desktop\Request For Quotation_pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Request For Quotation_pdf.exe 'C:\Users\user\Desktop\Request For Quotation_pdf.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Request For Quotation_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Request For Quotation_pdf.exeStatic file information: File size 1206272 > 1048576
                Source: Request For Quotation_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: Request For Quotation_pdf.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: FLahHLuGzK.exe.0.dr, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B458F2 pushad ; ret 0_2_00B458F9
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B459A0 pushfd ; ret 0_2_00B459E9
                Source: initial sampleStatic PE information: section name: .text entropy: 7.29828241423
                Source: initial sampleStatic PE information: section name: .text entropy: 7.29828241423
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile created: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM_3Show sources
                Source: Yara matchFile source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWindow / User API: threadDelayed 3490Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWindow / User API: threadDelayed 6311Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6648Thread sleep time: -52043s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976Thread sleep count: 3490 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976Thread sleep count: 6311 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972Thread sleep count: 42 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603618561.0000000000E88000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'Jump to behavior
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Users\user\Desktop\Request For Quotation_pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Obfuscated Files or Information2Input Capture1System Information Discovery113Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing11Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion14LSA SecretsVirtualization/Sandbox Evasion14SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection12Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph