Play interactive tour

Edit tour

Analysis Report Request for Quote.exe

Overview

General Information

Sample Name:	Request for Quote.exe
Analysis ID:	356719
MD5:	40cb5c4488fff6e0c040ff45cba91ecf
SHA1:	0ea670f7c180a52cd18c0630feea996dbf6dcf77
SHA256:	e9910e5698751eadaa69204411cd4cfe896148b60e71687ab0bd741e790d0488
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Request for Quote.exe (PID: 2260 cmdline: 'C:\Users\user\Desktop\Request for Quote.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Request for Quote.exe (PID: 6376 cmdline: C:\Users\user\Desktop\Request for Quote.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 996 cmdline: 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 6400 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 5592 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 5484 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 1188 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 6108 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 6676 cmdline: 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "zaYbvzrtpFoig4F", "URL: ": "http://0hH44dwVeXbULYg.com", "To: ": "jayz@flagmonkey.com.au", "ByHost: ": "mail.flagmonkey.com.au:587", "Password: ": "dB7Urg", "From: ": "jayz@flagmonkey.com.au"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Newapp.exe PID: 996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Newapp.exe PID: 996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Request for Quote.exe PID: 2260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Request for Quote.exe PID: 2260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Newapp.exe PID: 6108	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Newapp.exe PID: 6108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quote.exe PID: 6376	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Request for Quote.exe PID: 6376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
14.2.Newapp.exe.4a1e1a0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Request for Quote.exe.3ecf990.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Request for Quote.exe.3ecf990.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Request for Quote.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.4b44450.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.4b44450.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.30abf98.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Request for Quote.exe.25e3b94.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
20.2.Newapp.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.49b6d80.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Request for Quote.exe.6376.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "zaYbvzrtpFoig4F", "URL: ": "http://0hH44dwVeXbULYg.com", "To: ": "jayz@flagmonkey.com.au", "ByHost: ": "mail.flagmonkey.com.au:587", "Password: ": "dB7Urg", "From: ": "jayz@flagmonkey.com.au"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: Request for Quote.exe	Virustotal: Detection: 28%			Perma Link
Source: Request for Quote.exe	ReversingLabs: Detection: 17%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Request for Quote.exe

Joe Sandbox ML: detected

Source: 5.2.Request for Quote.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 20.2.Newapp.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	Unpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 14.2.Newapp.exe.a80000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack

Uses 32bit PE files

Show sources

Source: Request for Quote.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Request for Quote.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49740 -> 223.130.27.213:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49741 -> 223.130.27.213:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://0hH44dwVeXbULYg.com

Source: global traffic

TCP traffic: 192.168.2.5:49740 -> 223.130.27.213:587

Source: Joe Sandbox View

ASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU

Source: global traffic

TCP traffic: 192.168.2.5:49740 -> 223.130.27.213:587

Source: unknown

DNS traffic detected: queries for: mail.flagmonkey.com.au

Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000002.506806990.000000000332D000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000003.469692196.0000000001174000.00000004.00000001.sdmp	String found in binary or memory: http://0hH44dwVeXbULYg.com
Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmp	String found in binary or memory: http://flagmonkey.com.au
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.flagmonkey.com.au
Source: Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	String found in binary or memory: http://qunect.com/download/QuNect.exe
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	String found in binary or memory: http://qunect.com/download/QuNect.exe&Operation
Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://uHcRbL.com
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	String found in binary or memory: http://validator.w3.org/check?uri=referer
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Request for Quote.exe, 00000000.00000003.233620527.0000000007A0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$h
Source: Request for Quote.exe, 00000000.00000003.235037233.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Request for Quote.exe, 00000000.00000003.236228951.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers1
Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Request for Quote.exe, 00000000.00000003.236763631.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsywa
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Request for Quote.exe, 00000000.00000003.232018672.0000000007A00000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%u
Source: Request for Quote.exe, 00000000.00000003.232276547.00000000079FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/=v
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Request for Quote.exe, 00000000.00000003.237763152.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.237538687.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: Request for Quote.exe, 00000000.00000003.233218699.00000000079DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
Source: Request for Quote.exe, 00000000.00000003.232949267.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: Request for Quote.exe, 00000000.00000003.235244456.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Request for Quote.exe, 00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp, Newapp.exe, 0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: Newapp.exe, 0000000E.00000002.343532586.0000000001178000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Request for Quote.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 20.2.Newapp.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b55CF6D69u002d4E5Du002d4D68u002d8E88u002dF08D6C6E8534u007d/u0032F84C677u002d560Eu002d4E76u002d8A12u002d7C63DA2EDA80.cs

Large array initialization: .cctor: array initializer size 11991

Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02591028	0_2_02591028
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02592168	0_2_02592168
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025917D0	0_2_025917D0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02592FE0	0_2_02592FE0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0259EC50	0_2_0259EC50
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595318	0_2_02595318
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595308	0_2_02595308
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025950C8	0_2_025950C8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025950B9	0_2_025950B9
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595798	0_2_02595798
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025904D2	0_2_025904D2
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595590	0_2_02595590
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595581	0_2_02595581
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02594A50	0_2_02594A50
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02594A60	0_2_02594A60
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02593E90	0_2_02593E90
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02593EA0	0_2_02593EA0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02590F21	0_2_02590F21
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02592F9A	0_2_02592F9A
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02590F88	0_2_02590F88
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D0FC0	0_2_045D0FC0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D35E8	0_2_045D35E8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D3C48	0_2_045D3C48
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D0040	0_2_045D0040
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D0006	0_2_045D0006
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A9842F0	0_2_0A9842F0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A984BB0	0_2_0A984BB0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A984BC0	0_2_0A984BC0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A984300	0_2_0A984300
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB93238	0_2_0AB93238
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB9782E	0_2_0AB9782E
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB93E88	0_2_0AB93E88
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB95DE8	0_2_0AB95DE8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB95DD8	0_2_0AB95DD8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB9C3F0	0_2_0AB9C3F0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01416910	5_2_01416910
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_014161D8	5_2_014161D8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01415BA0	5_2_01415BA0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0142822C	5_2_0142822C
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0142EBD8	5_2_0142EBD8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_014399A0	5_2_014399A0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01436080	5_2_01436080
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0143EAE8	5_2_0143EAE8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01430586	5_2_01430586
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0143C668	5_2_0143C668
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_014371B0	5_2_014371B0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0143F5C0	5_2_0143F5C0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572178	14_2_01572178
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01571028	14_2_01571028
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015717E0	14_2_015717E0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0157EC50	14_2_0157EC50
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572FE0	14_2_01572FE0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572168	14_2_01572168
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015750C8	14_2_015750C8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015750B9	14_2_015750B9
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575318	14_2_01575318
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575308	14_2_01575308
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575590	14_2_01575590
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575581	14_2_01575581
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015704D2	14_2_015704D2
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015704E0	14_2_015704E0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015717D0	14_2_015717D0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575798	14_2_01575798
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015757A8	14_2_015757A8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01574A50	14_2_01574A50
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01574A60	14_2_01574A60
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01574D68	14_2_01574D68
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01570F21	14_2_01570F21
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572F9A	14_2_01572F9A
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01570F88	14_2_01570F88
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01573E90	14_2_01573E90
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01573EA0	14_2_01573EA0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDFC68	14_2_02FDFC68
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD82D0	14_2_02FD82D0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDA0B0	14_2_02FDA0B0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDA0A1	14_2_02FDA0A1
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDC7B8	14_2_02FDC7B8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDC7A9	14_2_02FDC7A9
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD8730	14_2_02FD8730
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD8B48	14_2_02FD8B48
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD8B38	14_2_02FD8B38
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDCE30	14_2_02FDCE30
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDCDF8	14_2_02FDCDF8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0967C350	14_2_0967C350
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0967782E	14_2_0967782E
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09675DE8	14_2_09675DE8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09675DDB	14_2_09675DDB
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09673F88	14_2_09673F88
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09701048	14_2_09701048
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09700040	14_2_09700040
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09700016	14_2_09700016
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 20_2_019B4860	20_2_019B4860
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 20_2_019B4790	20_2_019B4790
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 20_2_019BDBC0	20_2_019BDBC0

Source: Request for Quote.exe	Binary or memory string: OriginalFilename vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedoOqGWMpIYencJvzbUkLaMlQGw.exe4 vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.255811808.000000000ABA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000000.227538059.0000000000282000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.254880635.000000000A9A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Request for Quote.exe
Source: Request for Quote.exe	Binary or memory string: OriginalFilename vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.497343586.0000000000C42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.511879488.0000000006390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamedoOqGWMpIYencJvzbUkLaMlQGw.exe4 vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.498162050.00000000010F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.502647164.0000000001400000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Request for Quote.exe
Source: Request for Quote.exe	Binary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe

Source: Request for Quote.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Request for Quote.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Newapp.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 20.2.Newapp.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.Newapp.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/4@2/1

Source: C:\Users\user\Desktop\Request for Quote.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quote.exe.log

Jump to behavior

Source: Request for Quote.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Request for Quote.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Request for Quote.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Request for Quote.exe	Virustotal: Detection: 28%
Source: Request for Quote.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\Request for Quote.exe

File read: C:\Users\user\Desktop\Request for Quote.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Request for Quote.exe 'C:\Users\user\Desktop\Request for Quote.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Request for Quote.exe C:\Users\user\Desktop\Request for Quote.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
Source: C:\Users\user\Desktop\Request for Quote.exe	Process created: C:\Users\user\Desktop\Request for Quote.exe C:\Users\user\Desktop\Request for Quote.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Request for Quote.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Request for Quote.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	Unpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 14.2.Newapp.exe.a80000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	Unpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 14.2.Newapp.exe.a80000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack

Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_00285464 push 97205ACAh; retf	0_2_00285482
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_00283F94 push es; ret	0_2_00284004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_002852D8 push ecx; retf	0_2_002852DD
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_00283FD6 push es; ret	0_2_00284004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02596A6E push ecx; retf	0_2_02596A6F
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02596D62 push F297BACAh; retf	0_2_02596D67
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB9AFA0 push eax; ret	0_2_0AB9AFA1
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C43FD6 push es; ret	5_2_00C44004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C42ED2 push ds; iretd	5_2_00C42EE0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C452D8 push ecx; retf	5_2_00C452DD
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C42AEB push eax; retf	5_2_00C42AF8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C43F94 push es; ret	5_2_00C44004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C45464 push 97205ACAh; retf	5_2_00C45482
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C42E3B push 00000027h; retf	5_2_00C42E46
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0141B5F7 push edi; retn 0000h	5_2_0141B5F9
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A83F94 push es; ret	14_2_00A84004
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A852D8 push ecx; retf	14_2_00A852DD
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A83FD6 push es; ret	14_2_00A84004
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A85464 push 97205ACAh; retf	14_2_00A85482
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01576A6E push ecx; retf	14_2_01576A6F
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01576D62 push F297BACAh; retf	14_2_01576D67
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD9ED1 push ecx; ret	14_2_02FD9EE5
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD5FF4 push eax; iretd	14_2_02FD5FF5
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0967AFA0 push eax; ret	14_2_0967AFA1
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09704145 push FFFFFF8Bh; iretd	14_2_09704147
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00282E3B push 00000027h; retf	15_2_00282E46
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00285464 push 97205ACAh; retf	15_2_00285482
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00283F94 push es; ret	15_2_00284004
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00282AEB push eax; retf	15_2_00282AF8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_002852D8 push ecx; retf	15_2_002852DD
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00282ED2 push ds; iretd	15_2_00282EE0

Source: initial sample	Static PE information: section name: .text entropy: 7.52597216215
Source: initial sample	Static PE information: section name: .text entropy: 7.52597216215

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Request for Quote.exe

File created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe

Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\Request for Quote.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Newapp			Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Newapp			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Request for Quote.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection: