Analysis Report MT 103.exe

Overview

General Information

Sample Name:	MT 103.exe
Analysis ID:	345017
MD5:	4672f4c82e362f8fa602a273b82b2d2c
SHA1:	870e7f55eeb4caf63422e8260e25bbda34cbb4d5
SHA256:	c964743f18f47032f7b0cbfa7467b310927bb44813bd7861d4c85d55d6f34590
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: MT 103.exe.6524.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "FDyIk99O", "URL: ": "https://RUj6sv9z4cuyCVePS.org", "To: ": "shakazoro@vivaldi.net", "ByHost: ": "smtp.vivaldi.net:587", "Password: ": "1CFmnRUIaFbHY", "From: ": "shakazoro@vivaldi.net"}

Multi AV Scanner detection for submitted file

Source: MT 103.exe

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: MT 103.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.MT 103.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: MT 103.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: MT 103.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\MT 103.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_0626A780

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://RUj6sv9z4cuyCVePS.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49749 -> 31.209.137.12:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 31.209.137.12 31.209.137.12

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49749 -> 31.209.137.12:587

Source: unknown

DNS traffic detected: queries for: smtp.vivaldi.net

Source: MT 103.exe, 00000001.00000002.618421104.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MT 103.exe, 00000001.00000002.618421104.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: MT 103.exe, 00000001.00000002.618421104.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: http://HGYsjc.com
Source: MT 103.exe, 00000001.00000002.617564319.0000000000F87000.00000004.00000020.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: MT 103.exe, 00000001.00000002.617564319.0000000000F87000.00000004.00000020.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: MT 103.exe, 00000001.00000002.617564319.0000000000F87000.00000004.00000020.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: MT 103.exe, 00000001.00000002.617564319.0000000000F87000.00000004.00000020.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: MT 103.exe, 00000001.00000002.617564319.0000000000F87000.00000004.00000020.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: MT 103.exe, 00000001.00000002.617564319.0000000000F87000.00000004.00000020.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: MT 103.exe, 00000000.00000002.248507355.0000000002EF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MT 103.exe, 00000001.00000002.618858084.0000000002C72000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.vivaldi.net
Source: MT 103.exe	String found in binary or memory: http://thesnake.herokuapp.com/snakes
Source: MT 103.exe, 00000001.00000002.618540994.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://RUj6sv9z4cuyCVePS.org
Source: MT 103.exe, 00000000.00000002.249712252.0000000003EF9000.00000004.00000001.sdmp, MT 103.exe, 00000001.00000002.616043319.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MT 103.exe, 00000001.00000002.618421104.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Source: 1.2.MT 103.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD09A82CFu002dE41Fu002d44D6u002d9453u002d358E59BDDC15u007d/E545F48Du002d159Fu002d4682u002dB3A7u002d982DC82EB5E9.cs

Large array initialization: .cctor: array initializer size 11939

Detected potential crypto function

Source: C:\Users\user\Desktop\MT 103.exe	Code function: 0_2_02EBC508	0_2_02EBC508
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 0_2_02EB9990	0_2_02EB9990
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 0_2_0626AF80	0_2_0626AF80
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 0_2_06266058	0_2_06266058
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01058400	1_2_01058400
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01050040	1_2_01050040
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_010533C1	1_2_010533C1
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01052608	1_2_01052608
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01059900	1_2_01059900
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_0105EDC8	1_2_0105EDC8
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01059850	1_2_01059850
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01062D50	1_2_01062D50
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01062020	1_2_01062020
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_0106E0C0	1_2_0106E0C0
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_0106BF58	1_2_0106BF58
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_0106AB70	1_2_0106AB70
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01062618	1_2_01062618
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01069DB8	1_2_01069DB8
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050D46A0	1_2_050D46A0
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050D35C4	1_2_050D35C4
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050D3D50	1_2_050D3D50
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050DDA10	1_2_050DDA10
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050D4630	1_2_050D4630
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050D4690	1_2_050D4690
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050D35B8	1_2_050D35B8
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_050D5393	1_2_050D5393

Sample file is different than original file name gathered from version info

Source: MT 103.exe	Binary or memory string: OriginalFilename vs MT 103.exe
Source: MT 103.exe, 00000000.00000000.242100872.0000000000A72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRestrictedErrorObject.exe2 vs MT 103.exe
Source: MT 103.exe, 00000000.00000002.253587991.00000000061D0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs MT 103.exe
Source: MT 103.exe, 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs MT 103.exe
Source: MT 103.exe, 00000000.00000002.248507355.0000000002EF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMbUGqFFoWcXbQVSprfqpYEIMoykwB.exe4 vs MT 103.exe
Source: MT 103.exe	Binary or memory string: OriginalFilename vs MT 103.exe
Source: MT 103.exe, 00000001.00000002.617959918.0000000001200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs MT 103.exe
Source: MT 103.exe, 00000001.00000002.616333882.00000000008E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRestrictedErrorObject.exe2 vs MT 103.exe
Source: MT 103.exe, 00000001.00000002.622690326.0000000006340000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs MT 103.exe
Source: MT 103.exe, 00000001.00000002.616537778.0000000000D38000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MT 103.exe
Source: MT 103.exe, 00000001.00000002.616043319.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameMbUGqFFoWcXbQVSprfqpYEIMoykwB.exe4 vs MT 103.exe
Source: MT 103.exe	Binary or memory string: OriginalFilenameRestrictedErrorObject.exe2 vs MT 103.exe

Uses 32bit PE files

Source: MT 103.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: MT 103.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.MT 103.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.MT 103.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\MT 103.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MT 103.exe.log

Source: C:\Users\user\Desktop\MT 103.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\MT 103.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\MT 103.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\MT 103.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MT 103.exe 'C:\Users\user\Desktop\MT 103.exe'
Source: unknown	Process created: C:\Users\user\Desktop\MT 103.exe C:\Users\user\Desktop\MT 103.exe
Source: C:\Users\user\Desktop\MT 103.exe	Process created: C:\Users\user\Desktop\MT 103.exe C:\Users\user\Desktop\MT 103.exe	Jump to behavior

Source: C:\Users\user\Desktop\MT 103.exe	Code function: 0_2_06263C19 push ss; retf	0_2_06263C1A
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 0_2_06260006 push es; retf	0_2_0626001C
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 0_2_062619BB push B8FFFFEDh; ret	0_2_062619C0
Source: C:\Users\user\Desktop\MT 103.exe	Code function: 1_2_01067A37 push edi; retn 0000h	1_2_01067A39

Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.248507355.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MT 103.exe PID: 6452, type: MEMORY

Source: MT 103.exe, 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: MT 103.exe, 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\MT 103.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\MT 103.exe	Window / User API: threadDelayed 4278			Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Window / User API: threadDelayed 5477			Jump to behavior

Source: C:\Users\user\Desktop\MT 103.exe TID: 6456	Thread sleep time: -53954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe TID: 6496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe TID: 6924	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe TID: 6928	Thread sleep count: 4278 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe TID: 6928	Thread sleep count: 5477 > 30	Jump to behavior

Source: MT 103.exe, 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MT 103.exe, 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: MT 103.exe, 00000001.00000002.617564319.0000000000F87000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY-
Source: MT 103.exe, 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: MT 103.exe, 00000000.00000002.248576551.0000000002F22000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: MT 103.exe, 00000001.00000002.618275722.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MT 103.exe, 00000001.00000002.618275722.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MT 103.exe, 00000001.00000002.618275722.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: MT 103.exe, 00000001.00000002.618275722.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: MT 103.exe, 00000001.00000002.618275722.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Users\user\Desktop\MT 103.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Users\user\Desktop\MT 103.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000001.00000002.618421104.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618540994.0000000002C12000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.616043319.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618470302.0000000002BE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249712252.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MT 103.exe PID: 6452, type: MEMORY
Source: Yara match	File source: Process Memory Space: MT 103.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 1.2.MT 103.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\MT 103.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\MT 103.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

ID:	345017
Product:	CloudBasic
Start time:	15:55:34
Start date:	27.01.2021
Sample:	MT 103.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4672f4c82e362f8fa602a273b82b2d2c
SHA1:	870e7f55eeb4caf63422e8260e25bbda34cbb4d5
SHA256:	c964743f18f47032f7b0cbfa7467b310927bb44813bd7861d4c85d55d6f34590
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report MT 103.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs