Analysis Report Bewerbungsschreiben.exe

Overview

General Information

Sample Name: Bewerbungsschreiben.exe
Analysis ID: 344881
MD5: 082f79d8347c5bebbe48b7693f997bc8
SHA1: 09a254878d726d23816d4d90c86b912856b98570
SHA256: 0c10d7fbab534bfee1ca3408fa01a956c99ae6c52d565bbb584c486eff2eaa2c
Tags: exe

Detection

AgentTesla
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Bewerbungsschreiben.exe Virustotal: Detection: 27% Perma Link
Machine Learning detection for sample
Source: Bewerbungsschreiben.exe Joe Sandbox ML: detected

Compliance:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Bewerbungsschreiben.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bewerbungsschreiben.exe, 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 0_2_00007FFA35A32BE7 0_2_00007FFA35A32BE7
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 2_2_0031D819 2_2_0031D819
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 2_2_00319369 2_2_00319369
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 2_2_00313FE8 2_2_00313FE8
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 3_2_00423FE8 3_2_00423FE8
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 3_2_00429369 3_2_00429369
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 3_2_0042D819 3_2_0042D819
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 4_2_00D39369 4_2_00D39369
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 4_2_00D33FE8 4_2_00D33FE8
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 4_2_00D3D819 4_2_00D3D819
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 5_2_00F59369 5_2_00F59369
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 5_2_00F53FE8 5_2_00F53FE8
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 5_2_00F5D819 5_2_00F5D819
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 6_2_0037D819 6_2_0037D819
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 6_2_00379369 6_2_00379369
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 6_2_00373FE8 6_2_00373FE8
Sample file is different than original file name gathered from version info
Source: Bewerbungsschreiben.exe, 00000000.00000002.669510440.000000001BCA0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePositiveSign.dll< vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000000.00000002.669260070.000000001B820000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoapName.dll2 vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000000.00000000.658437026.0000000000C96000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000000.00000002.669163828.000000001B780000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000000.00000002.666891379.0000000001219000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLmHUZrzoUwNIKJkNITHH.exe4 vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000002.00000000.662939455.0000000000396000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000003.00000002.664096938.00000000004A6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000004.00000002.664916914.0000000000DB6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000005.00000002.665611516.0000000000FD6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe, 00000006.00000002.666445214.00000000003F6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe Binary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
Source: Bewerbungsschreiben.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal72.troj.evad.winEXE@11/1@0/0
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bewerbungsschreiben.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Mutant created: \Sessions\1\BaseNamedObjects\JPCTvSGJRYCL
Source: Bewerbungsschreiben.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Bewerbungsschreiben.exe Virustotal: Detection: 27%
Source: unknown Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe 'C:\Users\user\Desktop\Bewerbungsschreiben.exe'
Source: unknown Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
Source: unknown Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
Source: unknown Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
Source: unknown Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
Source: unknown Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Bewerbungsschreiben.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Bewerbungsschreiben.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: initial sample Static PE information: section name: .text entropy: 7.80392973587
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bewerbungsschreiben.exe PID: 6424, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Code function: 2_2_0031471C sldt word ptr [edx] 2_2_0031471C
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe TID: 1680 Thread sleep time: -54969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe TID: 1836 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Process created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Queries volume information: C:\Users\user\Desktop\Bewerbungsschreiben.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bewerbungsschreiben.exe PID: 6424, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bewerbungsschreiben.exe PID: 6424, type: MEMORY

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344881 Sample: Bewerbungsschreiben.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 72 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected AgentTesla 2->21 23 Yara detected AntiVM_3 2->23 25 2 other signatures 2->25 6 Bewerbungsschreiben.exe 3 2->6         started        process3 file4 17 C:\Users\user\...\Bewerbungsschreiben.exe.log, ASCII 6->17 dropped 9 Bewerbungsschreiben.exe 6->9         started        11 Bewerbungsschreiben.exe 6->11         started        13 Bewerbungsschreiben.exe 6->13         started        15 2 other processes 6->15 process5
No contacted IP infos