Analysis Report Invoice-3990993.exe

Overview

General Information

Sample Name:	Invoice-3990993.exe
Analysis ID:	344833
MD5:	c240ecb4d6da455111dca9256dcd3604
SHA1:	de229f907f93f89d5fe10828fa7e8034e70cda55
SHA256:	4730211b41726d261fe9f81bbbacd224b2659f9f05909395f8492adf187d8666
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: Invoice-3990993.exe.6228.2.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "2hoa0Zb0I7ot", "URL: ": "https://K2J5CnzUCIra4sFQC.org", "To: ": "chuksanderson@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "7ynpV9cGEL", "From: ": "chuksanderson@hybridgroupco.com"}

Multi AV Scanner detection for submitted file

Source: Invoice-3990993.exe	Virustotal: Detection: 52%			Perma Link
Source: Invoice-3990993.exe	ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: Invoice-3990993.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.Invoice-3990993.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Invoice-3990993.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Invoice-3990993.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_0574AAC8

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://K2J5CnzUCIra4sFQC.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49751 -> 66.70.204.222:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 66.70.204.222 66.70.204.222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.7:49751 -> 66.70.204.222:587

Source: unknown

DNS traffic detected: queries for: mail.hybridgroupco.com

Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://NvVyeo.com
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://hybridgroupco.com
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.hybridgroupco.com
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Invoice-3990993.exe, 00000000.00000002.230261930.0000000002421000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Invoice-3990993.exe, 00000002.00000002.593714749.0000000003535000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.594174723.000000000359C000.00000004.00000001.sdmp	String found in binary or memory: https://K2J5CnzUCIra4sFQC.org
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Invoice-3990993.exe, 00000000.00000002.230077421.0000000000878000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 2.2.Invoice-3990993.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF7313DE6u002dE794u002d450Au002dAA18u002dE32637E296B4u007d/u00369F9D8A0u002d8A99u002d4283u002dB060u002d03A8D6E65410.cs

Large array initialization: .cctor: array initializer size 12005

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice-3990993.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0086C2B0	0_2_0086C2B0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_00869990	0_2_00869990
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_05749060	0_2_05749060
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_05746278	0_2_05746278
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0574B2C8	0_2_0574B2C8
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0005DE22	0_2_0005DE22
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_00052050	0_2_00052050
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_000592E1	0_2_000592E1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD0040	2_2_00FD0040
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FDCC37	2_2_00FDCC37
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD3EF0	2_2_00FD3EF0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD1ED0	2_2_00FD1ED0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD6650	2_2_00FD6650
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD6230	2_2_00FD6230
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FDA6D0	2_2_00FDA6D0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_01795200	2_2_01795200
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_0179B518	2_2_0179B518
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_01796490	2_2_01796490
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_019146A0	2_2_019146A0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_019145B0	2_2_019145B0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_01914690	2_2_01914690
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E192E1	2_2_00E192E1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E12050	2_2_00E12050
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E1DE22	2_2_00E1DE22

Sample file is different than original file name gathered from version info

Source: Invoice-3990993.exe, 00000000.00000000.225487389.00000000000E4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEncoderReplacementFallback.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000000.00000002.234376489.0000000005610000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamehvvnyXtzKrUuslrzKKgswjLcTb.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamehvvnyXtzKrUuslrzKKgswjLcTb.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.590596788.00000000015A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.588928857.00000000012F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000000.229135116.0000000000EA4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEncoderReplacementFallback.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.590726096.0000000001750000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Invoice-3990993.exe
Source: Invoice-3990993.exe	Binary or memory string: OriginalFilenameEncoderReplacementFallback.exe4 vs Invoice-3990993.exe

Uses 32bit PE files

Source: Invoice-3990993.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Invoice-3990993.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 2.2.Invoice-3990993.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Invoice-3990993.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\Invoice-3990993.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice-3990993.exe.log

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Invoice-3990993.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Invoice-3990993.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice-3990993.exe 'C:\Users\user\Desktop\Invoice-3990993.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Invoice-3990993.exe C:\Users\user\Desktop\Invoice-3990993.exe
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process created: C:\Users\user\Desktop\Invoice-3990993.exe C:\Users\user\Desktop\Invoice-3990993.exe	Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0005BE9A push 28060001h; retn 0000h	0_2_0005BEA0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0005DBEB push 28060001h; retn 0000h	0_2_0005DBF1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E1DBEB push 28060001h; retn 0000h	2_2_00E1DBF1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E1BE9A push 28060001h; retn 0000h	2_2_00E1BEA0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_0191CD51 push esp; iretd	2_2_0191CD5D

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230261930.0000000002421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 4556, type: MEMORY

Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Window / User API: threadDelayed 3475			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Window / User API: threadDelayed 6283			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6148	Thread sleep time: -49861s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6404	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6408	Thread sleep count: 3475 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6408	Thread sleep count: 6283 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6404	Thread sleep count: 41 > 30	Jump to behavior

Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Users\user\Desktop\Invoice-3990993.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Users\user\Desktop\Invoice-3990993.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 4556, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 6228, type: MEMORY
Source: Yara match	File source: 2.2.Invoice-3990993.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 6228, type: MEMORY

Name	IP	Active
hybridgroupco.com	66.70.204.222	true
mail.hybridgroupco.com	unknown	unknown

ID:	344833
Product:	CloudBasic
Start time:	08:29:13
Start date:	27.01.2021
Sample:	Invoice-3990993.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c240ecb4d6da455111dca9256dcd3604
SHA1:	de229f907f93f89d5fe10828fa7e8034e70cda55
SHA256:	4730211b41726d261fe9f81bbbacd224b2659f9f05909395f8492adf187d8666
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report Invoice-3990993.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs